commit 5dd2e9869de2d28fc7e5c274ff9c12af4361ba86 Author: Greg Kroah-Hartman Date: Fri Jun 7 12:54:00 2013 -0700 Linux 3.9.5 commit a12c866cc1665ea4800eb6c171f44e14d7df16d9 Author: Wei Liu Date: Thu May 2 00:43:59 2013 +0000 xen-netback: better names for thresholds commit 376414945d15aa636e65f7e773c1e398b7a21cb9 upstream. This patch only changes some names to avoid confusion. In this patch we have: MAX_SKB_SLOTS_DEFAULT -> FATAL_SKB_SLOTS_DEFAULT max_skb_slots -> fatal_skb_slots #define XEN_NETBK_LEGACY_SLOTS_MAX XEN_NETIF_NR_SLOTS_MIN The fatal_skb_slots is the threshold to determine whether a packet is malicious. XEN_NETBK_LEGACY_SLOTS_MAX is the maximum slots a valid packet can have at this point. It is defined to be XEN_NETIF_NR_SLOTS_MIN because that's guaranteed to be supported by all backends. Suggested-by: Ian Campbell Signed-off-by: Wei Liu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b113898f2cfe280aaf3fc0743eb798778dedaee0 Author: Johannes Berg Date: Thu May 23 22:24:11 2013 +0200 mac80211_hwsim: remove P2P_DEVICE support Unfortunately, advertising P2P_DEVICE support was a little premature, a number of issues came up in testing and have been fixed for 3.10. Rather than try to backport all the different fixes, disable P2P_DEVICE support in the drivers using it. Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 2e8a935b639356f8397d39b118ac914d99b55871 Author: Johannes Berg Date: Thu May 23 22:24:31 2013 +0200 iwlwifi: mvm: remove P2P_DEVICE support Unfortunately, advertising P2P_DEVICE support was a little premature, a number of issues came up in testing and have been fixed for 3.10. Rather than try to backport all the different fixes, disable P2P_DEVICE support in the drivers using it. For iwlmvm that implies disabling P2P completely as it can't support P2P operation w/o P2P Device. Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 539f197a06fd6eb2d1211bac9133e8c903fcc70c Author: Wei Liu Date: Mon Apr 22 02:20:41 2013 +0000 xen-netfront: reduce gso_max_size to account for max TCP header commit 9ecd1a75d977e2e8c48139c7d3efed183f898d94 upstream. The maximum packet including header that can be handled by netfront / netback wire format is 65535. Reduce gso_max_size accordingly. Drop skb and print warning when skb->len > 65535. This can 1) save the effort to send malformed packet to netback, 2) help spotting misconfiguration of netfront in the future. Signed-off-by: Wei Liu Acked-by: Ian Campbell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d05a2b14b1b8263ab7467076cdf842b673695267 Author: Wei Liu Date: Thu May 2 00:43:58 2013 +0000 xen-netback: avoid allocating variable size array on stack commit 59ccb4ebbc35e36a3c143f2d1355deb75c2e628f upstream. Tune xen_netbk_count_requests to not touch working array beyond limit, so that we can make working array size constant. Suggested-by: Jan Beulich Signed-off-by: Wei Liu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8660ef055e202b6f383fd7300a6cbc49c08eba89 Author: Wei Liu Date: Thu May 2 00:43:57 2013 +0000 xen-netback: remove redundent parameter in netbk_count_requests commit ac69c26e7accb04ae2cb9ab0872068983a42b3c8 upstream. Tracking down from the caller, first_idx is always equal to vif->tx.req_cons. Remove it to avoid confusion. Suggested-by: Jan Beulich Signed-off-by: Wei Liu Acked-by: Ian Campbell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7ba65651e0c75fa221d8ca41aec99843b4055304 Author: Wei Liu Date: Mon Apr 22 02:20:43 2013 +0000 xen-netback: don't disconnect frontend when seeing oversize packet commit 03393fd5cc2b6cdeec32b704ecba64dbb0feae3c upstream. Some frontend drivers are sending packets > 64 KiB in length. This length overflows the length field in the first slot making the following slots have an invalid length. Turn this error back into a non-fatal error by dropping the packet. To avoid having the following slots having fatal errors, consume all slots in the packet. This does not reopen the security hole in XSA-39 as if the packet as an invalid number of slots it will still hit fatal error case. Signed-off-by: David Vrabel Signed-off-by: Wei Liu Acked-by: Ian Campbell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c34e3784b94f9eef8860bb142ca56fddb3c5951f Author: Wei Liu Date: Mon Apr 22 02:20:42 2013 +0000 xen-netback: coalesce slots in TX path and fix regressions commit 2810e5b9a7731ca5fce22bfbe12c96e16ac44b6f upstream. This patch tries to coalesce tx requests when constructing grant copy structures. It enables netback to deal with situation when frontend's MAX_SKB_FRAGS is larger than backend's MAX_SKB_FRAGS. With the help of coalescing, this patch tries to address two regressions avoid reopening the security hole in XSA-39. Regression 1. The reduction of the number of supported ring entries (slots) per packet (from 18 to 17). This regression has been around for some time but remains unnoticed until XSA-39 security fix. This is fixed by coalescing slots. Regression 2. The XSA-39 security fix turning "too many frags" errors from just dropping the packet to a fatal error and disabling the VIF. This is fixed by coalescing slots (handling 18 slots when backend's MAX_SKB_FRAGS is 17) which rules out false positive (using 18 slots is legit) and dropping packets using 19 to `max_skb_slots` slots. To avoid reopening security hole in XSA-39, frontend sending packet using more than max_skb_slots is considered malicious. The behavior of netback for packet is thus: 1-18 slots: valid 19-max_skb_slots slots: drop and respond with an error max_skb_slots+ slots: fatal error max_skb_slots is configurable by admin, default value is 20. Also change variable name from "frags" to "slots" in netbk_count_requests. Please note that RX path still has dependency on MAX_SKB_FRAGS. This will be fixed with separate patch. Signed-off-by: Wei Liu Acked-by: Ian Campbell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 900477d9933b56aa813120e7ead831cfe8f21a47 Author: Timo Teräs Date: Fri May 17 00:48:39 2013 -0700 leds: leds-gpio: reserve gpio before using it commit 803d19d57a042e86e9e9b685bbc3f4a0a751040f upstream. This reverts commit a99d76f (leds: leds-gpio: use gpio_request_one) and commit 2d7c22f (leds: leds-gpio: set devm_gpio_request_one() flags param correctly) which was a fix of the first one. The conversion to devm_gpio_request in commit e3b1d44c (leds: leds-gpio: use devm_gpio_request_one) is not reverted. The problem is that gpio_cansleep() and gpio_get_value_cansleep() calls can crash if the gpio is not first reserved. Incidentally this same bug existed earlier and was fixed similarly in commit d95cbe61 (leds: Fix potential leds-gpio oops). But the OOPS is real. It happens when GPIOs are provided by module which is not yet loaded. So this fixes the following BUG during my ALIX boot (3.9.2-vanilla): BUG: unable to handle kernel NULL pointer dereference at 0000004c IP: [] __gpio_cansleep+0xe/0x1a *pde = 00000000 Oops: 0000 [#1] SMP Modules linked in: leds_gpio(+) via_rhine mii cs5535_mfd mfd_core geode_rng rng_core geode_aes isofs nls_utf8 nls_cp437 vfat fat ata_generic pata_amd pata_cs5536 pata_acpi libata ehci_pci ehci_hcd ohci_hcd usb_storage usbcore usb_common sd_mod scsi_mod squashfs loop Pid: 881, comm: modprobe Not tainted 3.9.2 #1-Alpine EIP: 0060:[] EFLAGS: 00010282 CPU: 0 EIP is at __gpio_cansleep+0xe/0x1a EAX: 00000000 EBX: cf364018 ECX: c132b8b9 EDX: 00000000 ESI: c13993a4 EDI: c1399370 EBP: cded9dbc ESP: cded9dbc DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 CR0: 8005003b CR2: 0000004c CR3: 0f0c4000 CR4: 00000090 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: ffff0ff0 DR7: 00000400 Process modprobe (pid: 881, ti=cded8000 task=cf094aa0 task.ti=cded8000) Stack: cded9de0 d09471cb 00000000 c1399260 cf364014 00000000 c1399260 c1399254 d0949014 cded9df4 c118cd59 c1399260 d0949014 d0949014 cded9e08 c118ba47 c1399260 d0949014 c1399294 cded9e1c c118bb75 cded9e24 d0949014 00000000 Call Trace: [] gpio_led_probe+0xba/0x203 [leds_gpio] [] platform_drv_probe+0x26/0x48 [] driver_probe_device+0x75/0x15c [] __driver_attach+0x47/0x63 [] bus_for_each_dev+0x3c/0x66 [] driver_attach+0x14/0x16 [] ? driver_probe_device+0x15c/0x15c [] bus_add_driver+0xbd/0x1bc [] ? 0xd08b3fff [] ? 0xd08b3fff [] driver_register+0x74/0xec [] ? 0xd08b3fff [] platform_driver_register+0x38/0x3a [] gpio_led_driver_init+0xd/0x1000 [leds_gpio] [] do_one_initcall+0x6b/0x10f [] ? 0xd08b3fff [] load_module+0x1631/0x1907 [] ? insert_vmalloc_vmlist+0x14/0x43 [] ? __vmalloc_node_range+0x13e/0x15f [] sys_init_module+0x62/0x77 [] syscall_call+0x7/0xb EIP: [] __gpio_cansleep+0xe/0x1a SS:ESP 0068:cded9dbc CR2: 000000000000004c ---[ end trace 5308fb20d2514822 ]--- Signed-off-by: Timo Teräs Cc: Sachin Kamat Cc: Raphael Assenat Cc: Trent Piepho Cc: Javier Martinez Canillas Cc: Arnaud Patard Cc: Ezequiel Garcia Acked-by: Jingoo Han Signed-off-by: Bryan Wu Signed-off-by: Jonghwan Choi Signed-off-by: Greg Kroah-Hartman commit 0813b7c39d5d046feb9e7a632abd09aaafae056e Author: Nicholas Bellinger Date: Wed May 29 21:35:23 2013 -0700 target/file: Fix off-by-one READ_CAPACITY bug for !S_ISBLK export commit 21363ca873334391992f2f424856aa864345bb61 upstream. This patch fixes a bug where FILEIO was incorrectly reporting the number of logical blocks (+ 1) when using non struct block_device export mode. It changes fd_get_blocks() to follow all other backend ->get_blocks() cases, and reduces the calculated dev_size by one dev->dev_attrib.block_size number of bytes, and also fixes initial fd_block_size assignment at fd_configure_device() time introduced in commit 0fd97ccf4. Reported-by: Wenchao Xia Reported-by: Badari Pulavarty Tested-by: Badari Pulavarty Signed-off-by: Nicholas Bellinger Signed-off-by: Lingzhu Xiang Signed-off-by: Greg Kroah-Hartman commit befb0ab8d1a9f51fb1682aaec9f0ab0eb23228e8 Author: Nicholas Bellinger Date: Wed May 15 00:52:44 2013 -0700 target: Re-instate sess_wait_list for target_wait_for_sess_cmds commit 9b31a328e344e62e7cc98ae574edcb7b674719bb upstream. Switch back to pre commit 1c7b13fe652 list splicing logic for active I/O shutdown with tcm_qla2xxx + ib_srpt fabrics. The original commit was done under the incorrect assumption that it's safe to walk se_sess->sess_cmd_list unprotected in target_wait_for_sess_cmds() after sess->sess_tearing_down = 1 has been set by target_sess_cmd_list_set_waiting() during session shutdown. So instead of adding sess->sess_cmd_lock protection around sess->sess_cmd_list during target_wait_for_sess_cmds(), switch back to sess->sess_wait_list to allow wait_for_completion() + TFO->release_cmd() to occur without having to walk ->sess_cmd_list after the list_splice. Also add a check to exit if target_sess_cmd_list_set_waiting() has already been called, and add a WARN_ON to check for any fabric bug where new se_cmds are added to sess->sess_cmd_list after sess->sess_tearing_down = 1 has already been set. Signed-off-by: Nicholas Bellinger Cc: Joern Engel Cc: Roland Dreier Signed-off-by: Lingzhu Xiang Signed-off-by: Greg Kroah-Hartman commit 0c3b40345eb1d1202b84071d84964290cebb3022 Author: Miklos Szeredi Date: Mon Jun 3 14:40:22 2013 +0200 fuse: fix readdirplus Oops in fuse_dentry_revalidate commit 28420dad233520811c0e0860e7fb4975ed863fc4 upstream. Fix bug introduced by commit 4582a4ab2a "FUSE: Adapt readdirplus to application usage patterns". We need to check for a positive dentry; negative dentries are not added by readdirplus. Secondly we need to advise the use of readdirplus on the *parent*, otherwise the whole thing is useless. Thirdly all this is only relevant if "readdirplus_auto" mode is selected by the filesystem. We advise the use of readdirplus only if the dentry was still valid. If we had to redo the lookup then there was no use in doing the -plus version. Reported-by: Bernd Schubert Signed-off-by: Miklos Szeredi CC: Feng Shuo Signed-off-by: Greg Kroah-Hartman commit 4ad79e1a9b1ba785ff66f701ee063cde592b2b0e Author: Daniel Mack Date: Thu May 16 15:25:01 2013 +0200 ASoC: davinci: fix sample rotation commit 796718925159523919a589ecbd6d1811c22ef55f upstream. McASP serial audio engine needs different rotation values on TX and RX channels. Commit dde109fb462 ("ASoC: McASP: Fix data rotation for playback. Enables 24bit audio playback") changed the calculation to fix the playback format, but broke the capture stream by doing it for both TXFMT and RXFMT. Signed-off-by: Daniel Mack Signed-off-by: Mark Brown Signed-off-by: Lingzhu Xiang Signed-off-by: Greg Kroah-Hartman commit d38b707924f9bbdd5098ea8022d35acd8c0899ac Author: Or Gerlitz Date: Wed May 1 13:25:26 2013 +0000 IB/iser: Return error to upper layers on EAGAIN registration failures commit 450d1e40d597dd71843457c73d372c4b4f2a83eb upstream. Commit 819a087316a6 ("IB/iser: Avoid error prints on EAGAIN registration failures") not only eliminated the error print on that case, but rather also modified the code such that it doesn't return any error to upper layers. As a result a wrong mapping was used. Fix this to correctly return the error in that case. Signed-off-by: Or Gerlitz Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 4e7955a0b12b1e47c87acb11a156b2576406a8eb Author: Jonas Peterson Date: Tue May 7 22:05:23 2013 +0200 net: can: kvaser_usb: fix reception on "USBcan Pro" and "USBcan R" type hardware. commit a90f13b24fb40d02d11496cce6a10ae8d4b319b2 upstream. Unlike Kvaser Leaf light devices, some other Kvaser devices (like USBcan Pro, USBcan R) receive CAN messages in CMD_LOG_MESSAGE frames. This patch adds support for it. Signed-off-by: Jonas Peterson Signed-off-by: Olivier Sobrie Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 330733ae806a83fa59a019fb086be5743323ecac Author: Nithin Sujir Date: Mon Jun 3 09:19:34 2013 +0000 tg3: Add read dma workaround for 5720 commit 9bc297ea0622bb2a6b3abfa2fa84f0a3b86ef8c8 upstream. Commit 091f0ea30074bc43f9250961b3247af713024bc6 "tg3: Add New 5719 Read DMA workaround" added a workaround for TX DMA stall on the 5719. This workaround needs to be applied to the 5720 as well. Reported-by: Roland Dreier Tested-by: Roland Dreier Signed-off-by: Nithin Nayak Sujir Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 536b876c8e905a4ba08a6680eb358e2535d3c44c Author: Gabor Juhos Date: Tue May 28 14:52:19 2013 +0200 ath9k: use correct OTP register offsets for AR9550 commit add295a4afbdf5852d004c754c552d692b0fcac8 upstream. Accessing the OTP memory on AR9950 causes a data bus like this: Data bus error, epc == 801f7774, ra == 801f7774 Oops[#1]: CPU: 0 PID: 1 Comm: swapper Not tainted 3.10.0-rc3 #592 task: 87c28000 ti: 87c22000 task.ti: 87c22000 $ 0 : 00000000 00000061 deadc0de 00000000 $ 4 : b8115f18 00015f18 00000007 00000004 $ 8 : 00000001 7c7c3c7c 7c7c7c7c 7c7c7c7c $12 : 7c7c3c7c 80320a68 00000000 7c7c7c3c $16 : 87cd8010 00015f18 00000007 00000000 $20 : 00000064 00000004 87c23c7c 8035210c $24 : 00000000 801f3674 $28 : 87c22000 87c23b48 00000001 801f7774 Hi : 00000000 Lo : 00000064 epc : 801f7774 ath9k_hw_wait+0x58/0xb0 Not tainted ra : 801f7774 ath9k_hw_wait+0x58/0xb0 Status: 1000cc03 KERNEL EXL IE Cause : 4080801c PrId : 00019750 (MIPS 74Kc) Modules linked in: Process swapper (pid: 1, threadinfo=87c22000, task=87c28000, ts=00000000) Stack : 0000000f 00000061 00002710 8006240c 00000001 87cd8010 87c23bb0 87cd8010 00000000 00000004 00000003 80210c7c 000000b3 67fa8000 0000032a 000006fe 000003e8 00000002 00000028 87c23bf0 000003ff 80210d24 803e5630 80210e28 00000000 00000007 87cd8010 00007044 00000004 00000061 000003ff 000001ff 87c26000 87cd8010 00000220 87cd8bb8 80210000 8020fcf4 87c22000 87c23c08 ... Call Trace: [<801f7774>] ath9k_hw_wait+0x58/0xb0 [<80210c7c>] ar9300_otp_read_word+0x80/0xd4 [<80210d24>] ar9300_read_otp+0x54/0xb0 [<8020fcf4>] ar9300_check_eeprom_header+0x1c/0x40 [<80210fe4>] ath9k_hw_ar9300_fill_eeprom+0x118/0x39c [<80206650>] ath9k_hw_eeprom_init+0x74/0xb4 [<801f96d0>] ath9k_hw_init+0x7ec/0x96c [<801e65ec>] ath9k_init_device+0x340/0x758 [<801f35d0>] ath_ahb_probe+0x21c/0x2c0 [<801c041c>] driver_probe_device+0xc0/0x1e4 [<801c05ac>] __driver_attach+0x6c/0xa4 [<801bea08>] bus_for_each_dev+0x64/0xa8 [<801bfa40>] bus_add_driver+0xcc/0x24c [<801c0954>] driver_register+0xbc/0x17c [<803f8fc0>] ath9k_init+0x5c/0x88 [<800608fc>] do_one_initcall+0xec/0x1a0 [<803e6a68>] kernel_init_freeable+0x13c/0x200 [<80309cdc>] kernel_init+0x1c/0xe4 [<80062450>] ret_from_kernel_thread+0x10/0x18 On the AR9550, the OTP registers are located at the same address as on the AR9340. Use the correct values to avoid the error. Signed-off-by: Gabor Juhos Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit d11abfdb44b3265080020052b81485f6ac5eecab Author: Johannes Berg Date: Thu May 23 18:10:21 2013 +0200 cfg80211: check wdev->netdev in connection work commit c815797663b72e3ac1736f1886538152bc48e4af upstream. If a P2P-Device is present and another virtual interface triggers the connection work, the system crash because it tries to check if the P2P-Device's netdev (which doesn't exist) is up. Skip any wdevs that have no netdev to fix this. Reported-by: YanBo Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit b2ba5adbf6766a8b49425763ec0c2c182a088f92 Author: Emmanuel Grumbach Date: Thu May 2 15:01:24 2013 +0300 iwlwifi: mvm: tell firmware to let multicast frames in commit 51b6b9e029e81c857f9d8d17060f499cd25febdb upstream. Without this command, the firmware will filter out all the multicast frames. Let them all in as for now. Later we will want to optimize this to save power. Signed-off-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Lingzhu Xiang Signed-off-by: Greg Kroah-Hartman commit ea5a1a47a540f7a6b97d7bd2619371968566acf0 Author: Emmanuel Grumbach Date: Wed May 22 10:48:10 2013 +0300 iwlwifi: dvm: fix zero LQ CMD sending avoidance commit a87783699b23395c46bbeeb5d28f6db24897bf26 upstream. In 63b77bf489881747c5118476918cc8c29378ee63 iwlwifi: dvm: don't send zeroed LQ cmd I tried to avoid to send zeroed LQ cmd, but I made a (very) stupid mistake in the memcmp. Since this patch has been ported to stable, the fix should go to stable too. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=58341 Reported-by: Hinnerk van Bruinehsen Signed-off-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit b6b2169ddbc713d6cf12e562b6d991d6d23dc0fa Author: Johannes Berg Date: Fri May 24 01:06:09 2013 +0200 mac80211: close AP_VLAN interfaces before unregistering all commit c8aa22db0112f640ac6631347f850879c621840b upstream. Since Eric's commit efe117ab8 ("Speedup ieee80211_remove_interfaces") there's a bug in mac80211 when it unregisters with AP_VLAN interfaces up. If the AP_VLAN interface was registered after the AP it belongs to (which is the typical case) and then we get into this code path, unregister_netdevice_many() will crash because it isn't prepared to deal with interfaces being closed in the middle of it. Exactly this happens though, because we iterate the list, find the AP master this AP_VLAN belongs to and dev_close() the dependent VLANs. After this, unregister_netdevice_many() won't pick up the fact that the AP_VLAN is already down and will do it again, causing a crash. Signed-off-by: Johannes Berg Cc: Eric Dumazet Signed-off-by: Greg Kroah-Hartman commit dfd969a6927de9298544d1d51d9e69b9e88243f2 Author: Stanislaw Gruszka Date: Fri May 17 13:43:04 2013 +0200 mac80211: fix direct probe auth commit 6211dd12da609bc6893b9c3182630b494737ec4b upstream. We send direct probe to broadcast address, as some APs do not respond to unicast PROBE frames when unassociated. Broadcast frames are not acked, so we can not use that for trigger MLME state machine, but we need to use old timeout mechanism. This fixes authentication timed out like below: [ 1024.671974] wlan6: authenticate with 54:e6:fc:98:63:fe [ 1024.694125] wlan6: direct probe to 54:e6:fc:98:63:fe (try 1/3) [ 1024.695450] wlan6: direct probe to 54:e6:fc:98:63:fe (try 2/3) [ 1024.700586] wlan6: send auth to 54:e6:fc:98:63:fe (try 3/3) [ 1024.701441] wlan6: authentication with 54:e6:fc:98:63:fe timed out With fix, we have: [ 4524.198978] wlan6: authenticate with 54:e6:fc:98:63:fe [ 4524.220692] wlan6: direct probe to 54:e6:fc:98:63:fe (try 1/3) [ 4524.421784] wlan6: send auth to 54:e6:fc:98:63:fe (try 2/3) [ 4524.423272] wlan6: authenticated [ 4524.423811] wlan6: associate with 54:e6:fc:98:63:fe (try 1/3) [ 4524.427492] wlan6: RX AssocResp from 54:e6:fc:98:63:fe (capab=0x431 status=0 aid=1) Signed-off-by: Stanislaw Gruszka Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 44f781d513619ed4b6e6a1545d912b2733f65cce Author: Ben Skeggs Date: Mon May 13 16:11:12 2013 +1000 drm/nvc0/ce: disable ce1 on a number of chipsets commit 6d5f83834dc2b064b8c1202ea281820286b675a8 upstream. The falcon is present, but the rest of the copy engine doesn't appear to be... PUNITS doesn't report disabled (maybe the bits for the copy engines got added later?), so we end up trying to use a non-functional CE1, and bust all sorts of things.. Most notably, suspend/resume.. Signed-off-by: Ben Skeggs Signed-off-by: Lingzhu Xiang Signed-off-by: Greg Kroah-Hartman commit 4c52865e365e443d2e3ffafb8b41a206d7848e8f Author: Bastian Triller Date: Sun May 19 11:52:33 2013 +0000 ACPI / video: Add "Asus UL30A" to ACPI video detect blacklist commit c8f6d8351ba8c89d5cd4c562552ec7ec29274e31 upstream. Like on UL30VT, the ACPI video driver can't control backlight correctly on Asus UL30A. Vendor driver (asus-laptop) can work. This patch is to add "Asus UL30A" to ACPI video detect blacklist in order to use asus-laptop for video control on the "Asus UL30A" rather than ACPI video driver. Signed-off-by: Bastian Triller Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 8a031713e071cd0576b77e4cc171fabc6a828a7b Author: Rafael J. Wysocki Date: Thu May 16 22:29:28 2013 +0200 ACPI / PM: Allow device power states to be used for CONFIG_PM unset commit ec4602a9588a196fa1a9af46bfdd37cbf5792db4 upstream. Currently, drivers/acpi/device_pm.c depends on CONFIG_PM and all of the functions defined in there are replaced with static inline stubs if that option is unset. However, CONFIG_PM means, roughly, "runtime PM or suspend/hibernation support" and some of those functions are useful regardless of that. For example, they are used by the ACPI fan driver for controlling fans and acpi_device_set_power() is called during device removal. Moreover, device initialization may depend on setting device power states properly. For these reasons, make the routines manipulating ACPI device power states defined in drivers/acpi/device_pm.c available for CONFIG_PM unset too. Reported-by: Zhang Rui Reported-and-tested-by: Michel Lespinasse Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 2bd3458fcd2cdf088066f5707cf48b6082e534bc Author: Joerg Roedel Date: Thu Apr 18 17:55:04 2013 +0200 iommu/amd: Workaround for ERBT1312 commit d3263bc29706e42f74d8800807c2dedf320d77f1 upstream. Work around an IOMMU hardware bug where clearing the EVT_INT or PPR_INT bit in the status register may race with the hardware trying to set it again. When not handled the bit might not be cleared and we lose all future event or ppr interrupts. Reported-by: Suravee Suthikulpanit Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit a5ebc7d3405ae79948b08f1a399f02f421606b2f Author: Suravee Suthikulpanit Date: Wed Mar 27 18:51:52 2013 -0500 iommu/amd: Re-enable IOMMU event log interrupt after handling. commit 925fe08bce38d1ff052fe2209b9e2b8d5fbb7f98 upstream. Current driver does not clear the IOMMU event log interrupt bit in the IOMMU status register after processing an interrupt. This causes the IOMMU hardware to generate event log interrupt only once. This has been observed in both IOMMU v1 and V2 hardware. This patch clears the bit by writing 1 to bit 1 of the IOMMU status register (MMIO Offset 2020h) Signed-off-by: Suravee Suthikulpanit Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit aba0642011e925937785d36abc83288dbf891f44 Author: Emmanuel Grumbach Date: Tue May 7 14:08:24 2013 +0300 iwlwifi: mvm: fix aggregation drain flow commit e3d4bc8cc0230e8dc8033484666f03f87392a8c4 upstream. Move the counter for non-AMPDU frames to mvm. It is needed for the drain flow which happens once the ieee80211_sta has been freed, so keeping it in iwl_mvm_sta which is embed into ieee80211_sta is not a good idea. Also, since its purpose it to remove the STA in the fw only after all the frames for this station have exited the shared Tx queues, we need to decrement it in the reclaim flow. This flow can happen after ieee80211_sta has been removed, which means that we have no iwl_mvm_sta there. So we can't know what is the vif type. Hence, we know audit these frames for all the vif types. In order to avoid spawning sta_drained_wk all the time, we now check that we are in a flow in which draining might happen - only when mvmsta is NULL. This is better than previous code that would spawn sta_drained_wk all the time in AP mode. Signed-off-by: Emmanuel Grumbach Reviewed-by: Ilan Peer Reviewed-by: Johannes Berg Signed-off-by: Johannes Berg Signed-off-by: Lingzhu Xiang Signed-off-by: Greg Kroah-Hartman commit a24954fba6c895b8cc2404d2e0d8a586e725d8f7 Author: Wei Liu Date: Mon Mar 25 01:08:20 2013 +0000 xen-netback: remove skb in xen_netbk_alloc_page commit 27f852282ab9a028f57da96d05c26f38c424a315 upstream. This variable is never used. Signed-off-by: Wei Liu Acked-by: Ian Campbell Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 304e2db4df883a01001a4633be6e500ea290954c Author: Dave Kleikamp Date: Wed May 1 11:08:38 2013 -0500 jfs: fix a couple races commit 73aaa22d5ffb2630456bac2f9a4ed9b81d0d7271 upstream. This patch fixes races uncovered by xfstests testcase 068. One race is the result of jfs_sync() trying to write a sync point to the journal after it has been frozen (or possibly in the process). Since freezing sync's the journal, there is no need to write a sync point so we simply want to return. The second involves jfs_write_inode() being called on a deleted inode. It calls jfs_flush_journal which is held up by the jfs_commit thread doing the final iput on the same deleted inode, which itself is waiting for the I_SYNC flag to be cleared. jfs_write_inode need not do anything when i_nlink is zero, which is the easy fix. Reported-by: Michael L. Semon Signed-off-by: Dave Kleikamp Signed-off-by: Greg Kroah-Hartman commit 2ff61e0df36edc0b8db3aa519fd99de04e087694 Author: Jeff Mahoney Date: Fri May 31 15:07:52 2013 -0400 reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry commit 0bdc7acba56a7ca4232f15f37b16f7ec079385ab upstream. After sleeping for filldir(), we check to see if the file system has changed and research. The next_pos pointer is updated but its value isn't pushed into the key used for the search itself. As a result, the search returns the same item that the last cycle of the loop did and filldir() is called multiple times with the same data. The end result is that the buffer can contain the same name multiple times. This can be returned to userspace or used internally in the xattr code where it can manifest with the following warning: jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2) reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over the xattr names and ends up trying to unlink the same name twice. The second attempt fails with -ENOENT and the error is returned. At some point I'll need to add support into reiserfsck to remove the orphaned directories left behind when this occurs. The fix is to push the value into the key before researching. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara Signed-off-by: Jonghwan Choi Signed-off-by: Greg Kroah-Hartman commit 0bc0b3daef44a2be5369b125e3ec8701cbc71a21 Author: Jeff Mahoney Date: Fri May 31 15:54:17 2013 -0400 reiserfs: fix problems with chowning setuid file w/ xattrs commit 4a8570112b76a63ad21cfcbe2783f98f7fd5ba1b upstream. reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr and uses it to iterate over all the attrs associated with a file to change ownership of xattrs (and transfer quota associated with the xattr files). When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode are passed to all the xattrs as well. This means that the xattr directory will have S_IFREG added to its mode bits. This has been prevented in practice by a missing IS_PRIVATE check in reiserfs_acl_chmod, which caused a double-lock to occur while holding the write lock. Since the file system was completely locked up, the writeout of the corrupted mode never happened. This patch temporarily clears everything but ATTR_UID|ATTR_GID for the calls to reiserfs_setattr and adds the missing IS_PRIVATE check. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara Signed-off-by: Jonghwan Choi Signed-off-by: Greg Kroah-Hartman commit 4027e091f91f29ce7abaab676e827fd5ff90d148 Author: Jeff Mahoney Date: Fri May 31 15:51:17 2013 -0400 reiserfs: fix deadlock with nfs racing on create/lookup commit a1457c0ce976bad1356b9b0437f2a5c3ab8a9cfc upstream. Reiserfs is currently able to be deadlocked by having two NFS clients where one has removed and recreated a file and another is accessing the file with an open file handle. If one client deletes and recreates a file with timing such that the recreated file obtains the same [dirid, objectid] pair as the original file while another client accesses the file via file handle, the create and lookup can race and deadlock if the lookup manages to create the in-memory inode first. The create thread, in insert_inode_locked4, will hold the write lock while waiting on the other inode to be unlocked. The lookup thread, anywhere in the iget path, will release and reacquire the write lock while it schedules. If it needs to reacquire the lock while the create thread has it, it will never be able to make forward progress because it needs to reacquire the lock before ultimately unlocking the inode. This patch drops the write lock across the insert_inode_locked4 call so that the ordering of inode_wait -> write lock is retained. Since this would have been the case before the BKL push-down, this is safe. Signed-off-by: Jeff Mahoney Signed-off-by: Jan Kara Signed-off-by: Jonghwan Choi Signed-off-by: Greg Kroah-Hartman commit 638d51731a15bee509068dbbae94e8343445d731 Author: Srivatsa S. Bhat Date: Tue May 21 09:32:48 2013 +0000 powerpc/pseries: Always enable CONFIG_HOTPLUG_CPU on PSERIES SMP commit f274ef8747d3be649bba8708696fb31cb00fa75a upstream. Adam Lackorzynski reported the following build failure on !CONFIG_HOTPLUG_CPU configuration: CC arch/powerpc/kernel/rtas.o arch/powerpc/kernel/rtas.c: In function ‘rtas_cpu_state_change_mask’: arch/powerpc/kernel/rtas.c:843:4: error: implicit declaration of function ‘cpu_down’ [-Werror=implicit-function-declaration] cc1: all warnings being treated as errors make[1]: *** [arch/powerpc/kernel/rtas.o] Error 1 make: *** [arch/powerpc/kernel] Error 2 The build fails because cpu_down() is defined only under CONFIG_HOTPLUG_CPU. Looking further, the mobility code in pseries is one of the call-sites which uses rtas_ibm_suspend_me(), which in turn calls rtas_cpu_state_change_mask(). And the mobility code is unconditionally compiled-in (it does not fall under any Kconfig option). And commit 120496ac (powerpc: Bring all threads online prior to migration/hibernation) which introduced this build regression is critical for the proper functioning of the migration code. So it appears that the only solution to this problem is to enable CONFIG_HOTPLUG_CPU if SMP is enabled on PPC_PSERIES platforms. So make that change in the Kconfig. Reported-by: Adam Lackorzynski Signed-off-by: Srivatsa S. Bhat Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 032e6d6cfe7dfa4a36b228755e8c5e4d9fd81107 Author: Kishon Vijay Abraham I Date: Thu May 30 15:55:09 2013 +0530 regulator: palmas: Fix "enable_reg" to point to the correct reg for SMPS10 commit f232168df0c7e7414b70ac5d8fed83086d441c0b upstream. regulator_enable_regmap() uses enable_reg to enable the regulator. But enable_reg for smps10 points to SMPS10_STATUS which is a read-only register. Fixed the same by having enable_reg set to SMPS10_CTRL. Signed-off-by: Kishon Vijay Abraham I Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit c534bfb76524145e32a5066ca73b6836ce744c38 Author: Paolo Bonzini Date: Thu May 30 16:35:55 2013 +0200 KVM: fix sil/dil/bpl/spl in the mod/rm fields commit 8acb42070ec4c87a9baab5c7bac626030d5bef28 upstream. The x86-64 extended low-byte registers were fetched correctly from reg, but not from mod/rm. This fixes another bug in the boot of RHEL5.9 64-bit, but it is still not enough. Signed-off-by: Paolo Bonzini Signed-off-by: Gleb Natapov Signed-off-by: Greg Kroah-Hartman commit 744a4e1d595d9e4b39ff843fe6957defd7dd3ac6 Author: Paolo Bonzini Date: Thu May 30 13:22:39 2013 +0200 KVM: Emulate multibyte NOP commit 103f98ea64a1b0a67d8a1b23070b4db3533db2b8 upstream. This is encountered when booting RHEL5.9 64-bit. There is another bug after this one that is not a simple emulation failure, but this one lets the boot proceed a bit. Signed-off-by: Paolo Bonzini Signed-off-by: Gleb Natapov Signed-off-by: Greg Kroah-Hartman commit baac211e7927df46735dbc3d5529b9bfb55a3422 Author: Trond Myklebust Date: Wed May 29 15:36:40 2013 -0400 NFSv4: Fix a thinko in nfs4_try_open_cached commit f448badd34700ae728a32ba024249626d49c10e1 upstream. We need to pass the full open mode flags to nfs_may_open() when doing a delegated open. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 0b0fc73ec0d067924cfa5504f93c1a506efb941f Author: Nicholas Bellinger Date: Wed May 15 01:30:01 2013 -0700 ib_srpt: Call target_sess_cmd_list_set_waiting during shutdown_session commit 1d19f7800d643b270b28d0a969c5eca455d54397 upstream. Given that srpt_release_channel_work() calls target_wait_for_sess_cmds() to allow outstanding se_cmd_t->cmd_kref a change to complete, the call to perform target_sess_cmd_list_set_waiting() needs to happen in srpt_shutdown_session() Also, this patch adds an explicit call to srpt_shutdown_session() within srpt_drain_channel() so that target_sess_cmd_list_set_waiting() will be called in the cases where TFO->shutdown_session() is not triggered directly by TCM. Signed-off-by: Nicholas Bellinger Cc: Joern Engel Cc: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit a6ff6ba26bd680f6c2afe0e599ffde19f9c41cb2 Author: Kees Cook Date: Thu May 23 10:32:17 2013 -0700 iscsi-target: fix heap buffer overflow on error commit cea4dcfdad926a27a18e188720efe0f2c9403456 upstream. If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Signed-off-by: Kees Cook Signed-off-by: Nicholas Bellinger Signed-off-by: Greg Kroah-Hartman commit 4fdf4857d1deca93307532525857dc7490641af5 Author: Michael Neuling Date: Sun May 26 18:30:56 2013 +0000 powerpc/tm: Move TM abort cause codes to uapi commit b75c100ef24894bd2c8b52e123bcc5f191c5d9fd upstream. These cause codes are usable by userspace, so let's export to uapi. Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit e71c42189de0af8b93505e559837d934f6cb42b6 Author: Michael Neuling Date: Sun May 26 18:09:39 2013 +0000 powerpc/tm: Abort on emulation and alignment faults commit 6ce6c629fd8254b3177650de99699682ff7f6707 upstream. If we are emulating an instruction inside an active user transaction that touches memory, the kernel can't emulate it as it operates in transactional suspend context. We need to abort these transactions and send them back to userspace for the hardware to rollback. We can service these if the user transaction is in suspend mode, since the kernel will operate in the same suspend context. This adds a check to all alignment faults and to specific instruction emulations (only string instructions for now). If the user process is in an active (non-suspended) transaction, we abort the transaction go back to userspace allowing the HW to roll back the transaction and tell the user of the failure. This also adds new tm abort cause codes to report the reason of the persistent error to the user. Crappy test case here http://neuling.org/devel/junkcode/aligntm.c Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 2568d1e1e1c1eebd783bf35ae3bddb271f0ebd35 Author: Michael Neuling Date: Sun May 26 18:09:41 2013 +0000 powerpc/tm: Fix userspace stack corruption on signal delivery for active transactions commit 2b3f8e87cf99a33fb6faf5026d7147748bbd77b6 upstream. When in an active transaction that takes a signal, we need to be careful with the stack. It's possible that the stack has moved back up after the tbegin. The obvious case here is when the tbegin is called inside a function that returns before a tend. In this case, the stack is part of the checkpointed transactional memory state. If we write over this non transactionally or in suspend, we are in trouble because if we get a tm abort, the program counter and stack pointer will be back at the tbegin but our in memory stack won't be valid anymore. To avoid this, when taking a signal in an active transaction, we need to use the stack pointer from the checkpointed state, rather than the speculated state. This ensures that the signal context (written tm suspended) will be written below the stack required for the rollback. The transaction is aborted becuase of the treclaim, so any memory written between the tbegin and the signal will be rolled back anyway. For signals taken in non-TM or suspended mode, we use the normal/non-checkpointed stack pointer. Tested with 64 and 32 bit signals Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 8c2d6d574ee0d0a89876f6259ad444a2a50f1306 Author: Michael Neuling Date: Sun May 26 18:09:38 2013 +0000 powerpc/tm: Update cause codes documentation commit 24b92375dc4ec8a15262e8aaaab60b7404d4b1e7 upstream. Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 1ece539081c17ea0ba11641390c25861e5599f0a Author: Michael Neuling Date: Sun May 26 18:09:37 2013 +0000 powerpc/tm: Make room for hypervisor in abort cause codes commit 35f7097fcedec63fcba1852dbee96f74a2d90878 upstream. PAPR carves out 0xff-0xe0 for hypervisor use of transactional memory software abort cause codes. Unfortunately we don't respect this currently. Below fixes this to move our cause codes to below this region. Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit d0b82237f3e6a9cec57c827849fbb7f461b44619 Author: Priyanka Jain Date: Fri May 31 01:20:02 2013 +0000 powerpc/32bit:Store temporary result in r0 instead of r8 commit f7b3367774f92a688d39ed767f0ae9b93af7873a upstream. Commit a9c4e541ea9b22944da356f2a9258b4eddcc953b "powerpc/kprobe: Complete kprobe and migrate exception frame" introduced a regression: While returning from exception handling in case of PREEMPT enabled, _TIF_NEED_RESCHED bit is checked in TI_FLAGS (thread_info flag) of current task. Only if this bit is set, it should continue with the process of calling preempt_schedule_irq() to schedule highest priority task if available. Current code assumes that r8 contains TI_FLAGS and check this for _TIF_NEED_RESCHED, but as r8 is modified in the code which executes before this check, r8 no longer contains the expected TI_FLAGS information. As a result check for comparison with _TIF_NEED_RESCHED was failing even if NEED_RESCHED bit is set in the current thread_info flag. Due to this, preempt_schedule_irq() and in turn scheduler was not getting called even if highest priority task is ready for execution. So, store temporary results in r0 instead of r8 to prevent r8 from getting modified as subsequent code is dependent on its value. Signed-off-by: Priyanka Jain Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit e92b3f9342bd09ba9707d0500b46c6500de1b1fc Author: Tejun Heo Date: Fri May 24 10:50:24 2013 +0900 cgroup: fix a subtle bug in descendant pre-order walk commit 7805d000db30a3787a4c969bab6ae4d8a5fd8ce6 upstream. When cgroup_next_descendant_pre() initiates a walk, it checks whether the subtree root doesn't have any children and if not returns NULL. Later code assumes that the subtree isn't empty. This is broken because the subtree may become empty inbetween, which can lead to the traversal escaping the subtree by walking to the sibling of the subtree root. There's no reason to have the early exit path. Remove it along with the later assumption that the subtree isn't empty. This simplifies the code a bit and fixes the subtle bug. While at it, fix the comment of cgroup_for_each_descendant_pre() which was incorrectly referring to ->css_offline() instead of ->css_online(). Signed-off-by: Tejun Heo Reviewed-by: Michal Hocko Signed-off-by: Greg Kroah-Hartman commit 24622f8bb1d75e005f6cd1ccaea82b72e31b6d6c Author: Li Zefan Date: Tue May 14 19:44:20 2013 +0800 cgroup: initialize xattr before calling d_instantiate() commit d6cbf35dac8a3dadb9103379820c96d7c85df3d9 upstream. cgroup_create_file() calls d_instantiate(), which may decide to look at the xattrs on the file. Smack always does this and SELinux can be configured to do so. But cgroup_add_file() didn't initialize xattrs before calling cgroup_create_file(), which finally leads to dereferencing NULL dentry->d_fsdata. This bug has been there since cgroup xattr was introduced. Reported-by: Ivan Bulatovic Reported-by: Casey Schaufler Signed-off-by: Li Zefan Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 52f36be0f4e2fafa5dd85fbd6508bbfba314fd58 Author: Christian Borntraeger Date: Mon May 27 16:19:55 2013 +0200 s390/pgtable: Fix check for pgste/storage key handling commit b56433cb782d1cc7e44fc46d2ce3917fa75d2236 upstream. pte_present might return true on PAGE_TYPE_NONE, even if the invalid bit is on. Modify the existing check of the pgste functions to avoid crashes. [ Martin Schwidefsky: added ptep_modify_prot_[start|commit] bits ] Reported-by: Martin Schwidefky Signed-off-by: Christian Borntraeger Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit f64747c92f852b35b870408cbc82ffa4f1ce76b8 Author: Finn Thain Date: Wed May 29 12:37:17 2013 +1000 m68k/mac: Fix unexpected interrupt with CONFIG_EARLY_PRINTK commit df66834a43c461de2565c45d815288ba1c0def37 upstream. The present code does not wait for the SCC to finish resetting itself before trying to initialise the device. The result is that the SCC interrupt sources become enabled (if they weren't already). This leads to an early boot crash (unexpected interrupt) given CONFIG_EARLY_PRINTK. Fix this by adding a delay. A successful reset disables the interrupt sources. Also, after the reset for channel A setup, the SCC then gets a second reset for channel B setup which leaves channel A uninitialised again. Fix this by performing the reset only once. Signed-off-by: Finn Thain Signed-off-by: Geert Uytterhoeven Signed-off-by: Greg Kroah-Hartman commit 27a8de81bf1a476a3df6dd548c4925aa87689c92 Author: Vincent Pelletier Date: Sat May 18 18:44:04 2013 +0200 libata: make ata_exec_internal_sg honor DMADIR commit e771451c0a831d96a7c14b0ca8a8ec671d98567b upstream. libata honors DMADIR for regular commands, but not for internal commands used (among other) during device initialisation. This makes SATA-host-to-PATA-device bridges based on Silicon Image SiL3611 (such as "Abit Serillel 2") end up disabled when used with an ATAPI device after a few tries. Log output of the bridge being hot-plugged with an ATAPI drive: [ 9631.212901] ata1: exception Emask 0x10 SAct 0x0 SErr 0x40c0000 action 0xe frozen [ 9631.212913] ata1: irq_stat 0x00000040, connection status changed [ 9631.212923] ata1: SError: { CommWake 10B8B DevExch } [ 9631.212939] ata1: hard resetting link [ 9632.104962] ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 300) [ 9632.106393] ata1.00: ATAPI: PIONEER DVD-RW DVR-115, 1.06, max UDMA/33 [ 9632.106407] ata1.00: applying bridge limits [ 9632.108151] ata1.00: configured for UDMA/33 [ 9637.105303] ata1.00: qc timeout (cmd 0xa0) [ 9637.105324] ata1.00: failed to clear UNIT ATTENTION (err_mask=0x5) [ 9637.105335] ata1: hard resetting link [ 9638.044599] ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 300) [ 9638.047878] ata1.00: configured for UDMA/33 [ 9643.044933] ata1.00: qc timeout (cmd 0xa0) [ 9643.044953] ata1.00: failed to clear UNIT ATTENTION (err_mask=0x5) [ 9643.044963] ata1: limiting SATA link speed to 1.5 Gbps [ 9643.044971] ata1.00: limiting speed to UDMA/33:PIO3 [ 9643.044979] ata1: hard resetting link [ 9643.984225] ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 310) [ 9643.987471] ata1.00: configured for UDMA/33 [ 9648.984591] ata1.00: qc timeout (cmd 0xa0) [ 9648.984612] ata1.00: failed to clear UNIT ATTENTION (err_mask=0x5) [ 9648.984619] ata1.00: disabled [ 9649.000593] ata1: hard resetting link [ 9649.939902] ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 310) [ 9649.955864] ata1: EH complete With this patch, the drive enumerates correctly when libata is loaded with atapi_dmadir=1: [ 9891.810863] ata1: exception Emask 0x10 SAct 0x0 SErr 0x40c0000 action 0xe frozen [ 9891.810874] ata1: irq_stat 0x00000040, connection status changed [ 9891.810884] ata1: SError: { CommWake 10B8B DevExch } [ 9891.810900] ata1: hard resetting link [ 9892.762105] ata1: SATA link up 1.5 Gbps (SStatus 113 SControl 300) [ 9892.763544] ata1.00: ATAPI: PIONEER DVD-RW DVR-115, 1.06, max UDMA/33, DMADIR [ 9892.763558] ata1.00: applying bridge limits [ 9892.765393] ata1.00: configured for UDMA/33 [ 9892.786063] ata1: EH complete [ 9892.792062] scsi 0:0:0:0: CD-ROM PIONEER DVD-RW DVR-115 1.06 PQ: 0 ANSI: 5 [ 9892.798455] sr2: scsi3-mmc drive: 12x/12x writer dvd-ram cd/rw xa/form2 cdda tray [ 9892.798837] sr 0:0:0:0: Attached scsi CD-ROM sr2 [ 9892.799109] sr 0:0:0:0: Attached scsi generic sg6 type 5 Based on a patch by Csaba Halász on linux-ide: http://marc.info/?l=linux-ide&m=136121147832295&w=2 tj: minor formatting changes. Signed-off-by: Vincent Pelletier Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit abf7e0f92a83b9fa5931c68cfaafd32dfcf092fe Author: Chew, Chiau Ee Date: Thu May 16 15:33:29 2013 +0800 ata_piix: add PCI IDs for Intel BayTail commit fca8c90d519dedd4f4b19901d005c243f7f0bf2e upstream. Adds IDE-mode SATA Device IDs for the Intel BayTrail platform. Signed-off-by: Chew, Chiau Ee Signed-off-by: Artem Bityutskiy Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 0656f99eca400c54723dc7b8d59070694a329557 Author: Sergei Shtylyov Date: Sat Jun 1 02:38:35 2013 +0400 sata_rcar: fix interrupt handling commit 52a2a1087b5924de00484f35ef5e2a73f61dbd22 upstream. The driver's interrupt handling code is too picky in deciding whether it should handle an interrupt or not which causes completely unneeded spurious interrupts. Thus make sata_rcar_{ata|serr}_interrupt() *void*; add ATA status register read to sata_rcar_ata_interrupt() to clear an unexpected ATA interrupt -- it doesn't get cleared by writing to the SATAINTSTAT register in the interrupt mode we use. Also, in sata_rcar_ata_interrupt() we should check SATAINTSTAT register only for enabled interrupts and we should clear only those interrupts that we have read as active first time around, because else we have a race and risk clearing an interrupt that can occur between read and write of the SATAINTSTAT register and never registering it... Signed-off-by: Sergei Shtylyov Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 278cbfb57813031b472f6fba7293155f6d71d306 Author: Sergei Shtylyov Date: Tue May 21 23:07:54 2013 +0400 sata_rcar: clear STOP bit in bmdma_start() method commit df7e131f6359f20ed8f0a37db039c4f6420a18c2 upstream. Iff bmdma_setup() has to stop a DMA transfer before starting a new one, then the STOP bit in the ATAPI_CONTROL1 register will remain set (it's only cleared when setting the START bit to 1) and then bmdma_start() method will set both START and STOP bits simultaneously which should abort the transfer being just started. Avoid that by explicitly clearing the STOP bit in bmdma_start() method (in this case it will be ignored on write). Signed-off-by: Sergei Shtylyov Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 661926a0a9594143ed7f189521d8b8c848f480c7 Author: Jeff Layton Date: Fri May 24 07:40:04 2013 -0400 cifs: fix potential buffer overrun when composing a new options string commit 166faf21bd14bc5c5295a44874bf7f3930c30b20 upstream. Consider the case where we have a very short ip= string in the original mount options, and when we chase a referral we end up with a very long IPv6 address. Be sure to allow for that possibility when estimating the size of the string to allocate. Signed-off-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 968678e436eb6cf11c09068b24acfdffc7f48891 Author: Horia Geanta Date: Fri May 10 15:08:39 2013 +0300 crypto: caam - fix inconsistent assoc dma mapping direction commit 286233e604d79f0c7fa04abec2180d5d89a74749 upstream. req->assoc is dma mapped BIDIRECTIONAL and unmapped TO_DEVICE. Since it is read-only for the device, use TO_DEVICE both for mapping and unmapping. Signed-off-by: Horia Geanta Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit db4ade5e0a6e3f4c8853e707e3373e9cca4a0dff Author: Alex Deucher Date: Wed May 22 11:22:51 2013 -0400 drm/radeon: fix card_posted check for newer asics commit 09fb8bd1a63b0f9f15e655c4fe8d047e5d2bf67a upstream. Newer asics have variable numbers of crtcs. Use that rather than the asic family to determine which crtcs to check. This avoids checking non-existent crtcs or missing crtcs on certain asics. Reviewed-by: Michel Dänzer Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit d606428b9959595df1443509386cb1b0af6ebdc5 Author: Alex Deucher Date: Tue May 21 13:35:19 2013 -0400 drm/radeon: fix typo in cu_per_sh on verde commit 468ef1a58c9268ac9709350bf95eaf1c22a69f29 upstream. Should be 5 rather than 2. Noticed by sroland and glisse on IRC. Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 881d1d26244ff3f8d6a09979f82ef70545cd8c0a Author: Rodrigo Vivi Date: Mon May 13 18:12:25 2013 -0300 drm/i915: Adding more reserved PCI IDs for Haswell. commit 1c98b4871cca4b7ce07e19f92f934d47cf7210b0 upstream. At DDX commit Chris mentioned the tendency we have of finding out more PCI IDs only when users report. So Let's add all new reserved Haswell IDs. This patch also fix GT3 names. I'no not sending in separated patche because names are only in few comments and not in variable names. v2: Fix some mobile ids (by Paulo) References: http://bugs.freedesktop.org/show_bug.cgi?id=63701 Signed-off-by: Rodrigo Vivi Cc: Chris Wilson Cc: Paulo Zanoni Reviewed-by: Paulo Zanoni Signed-off-by: Daniel Vetter Signed-off-by: Greg Kroah-Hartman commit a793eb86637c298100524d3a673ea0473f1d2bea Author: Charles Keepax Date: Fri May 24 11:38:24 2013 +0100 ASoC: wm5110: Correct DSP4R Mixer control name commit 39d4ecdb711ba44e0aa0b2f3db74ed5ac97abe21 upstream. Signed-off-by: Charles Keepax Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 3b282a2a5f2d34d9bcd61f7356e00836c6050e1e Author: Nicolas Schichan Date: Thu May 23 16:53:02 2013 +0200 ASoC: cs42l52: fix default value for MASTERA_VOL. commit 04d245b7899c020559402841d2f70ddd740a7704 upstream. The default register value for MASTERA_VOL is 0x00, the same as MASTERB_VOL. Signed-off-by: Nicolas Schichan Acked-by: Brian Austin Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 6731af83fc71df68bf499460c509455df71d1d74 Author: J. Bruce Fields Date: Fri May 24 17:24:34 2013 -0400 svcrpc: fix failures to handle -1 uid's and gid's commit afe3c3fd5392b2f0066930abc5dbd3f4b14a0f13 upstream. As of f025adf191924e3a75ce80e130afcd2485b53bb8 "sunrpc: Properly decode kuids and kgids in RPC_AUTH_UNIX credentials" any rpc containing a -1 (0xffff) uid or gid would fail with a badcred error. Reported symptoms were xmbc clients failing on upgrade of the NFS server; examination of the network trace showed them sending -1 as the gid. Reported-by: Julian Sikorski Tested-by: Julian Sikorski Cc: "Eric W. Biederman" Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit d52bd6ede0250d1bdf389e2d0be2cd63640a5828 Author: Trond Myklebust Date: Wed May 22 12:57:24 2013 -0400 SUNRPC: Prevent an rpc_task wakeup race commit a3c3cac5d31879cd9ae2de7874dc6544ca704aec upstream. The lockless RPC_IS_QUEUED() test in __rpc_execute means that we need to be careful about ordering the calls to rpc_test_and_set_running(task) and rpc_clear_queued(task). If we get the order wrong, then we may end up testing the RPC_TASK_RUNNING flag after __rpc_execute() has looped and changed the state of the rpc_task. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 09493e200a8db589a359a5bf0cd44777c8a540d2 Author: Sylwester Nawrocki Date: Wed Jan 9 17:39:51 2013 -0800 ARM: SAMSUNG: Export MIPI CSIS/DSIM PHY control functions commit 30da66eafc015cd7e952829eaf8f86d8680f86d9 upstream. The s5p_csis_phy_enable/s5p_dsim_phy_enable functions are now used directly by corresponding drivers and thus need to be exported so the drivers can be built as modules. Signed-off-by: Sylwester Nawrocki Signed-off-by: Kyungmin Park Signed-off-by: Kukjin Kim Signed-off-by: Greg Kroah-Hartman commit 1fd8fe9227c6a0b11da522709264a0ebcc0c002a Author: Mark Rutland Date: Tue May 28 15:54:15 2013 +0100 arm64: don't kill the kernel on a bad esr from el0 commit 9955ac47f4ba1c95ecb6092aeaefb40a22e99268 upstream. Rather than completely killing the kernel if we receive an esr value we can't deal with in the el0 handlers, send the process a SIGILL and log the esr value in the hope that we can debug it. If we receive a bad esr from el1, we'll die() as before. Signed-off-by: Mark Rutland Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit e08d9828d5d6925562f8c13bc6a70aab7eeddd9a Author: Dave Chinner Date: Mon May 27 16:38:25 2013 +1000 xfs: kill suid/sgid through the truncate path. commit 2962f5a5dcc56f69cbf62121a7be67cc15d6940b upstream. XFS has failed to kill suid/sgid bits correctly when truncating files of non-zero size since commit c4ed4243 ("xfs: split xfs_setattr") introduced in the 3.1 kernel. Fix it. Fix it. Signed-off-by: Dave Chinner Reviewed-by: Brian Foster Signed-off-by: Ben Myers Signed-off-by: Greg Kroah-Hartman commit 1532d7f86dba949ecd533c1f7a6bd03ed9069227 Author: Rusty Russell Date: Wed Apr 17 13:20:03 2013 +0930 module: don't unlink the module until we've removed all exposure. commit 944a1fa01266aa9ace607f29551b73c41e9440e9 upstream. Otherwise we get a race between unload and reload of the same module: the new module doesn't see the old one in the list, but then fails because it can't register over the still-extant entries in sysfs: [ 103.981925] ------------[ cut here ]------------ [ 103.986902] WARNING: at fs/sysfs/dir.c:536 sysfs_add_one+0xab/0xd0() [ 103.993606] Hardware name: CrownBay Platform [ 103.998075] sysfs: cannot create duplicate filename '/module/pch_gbe' [ 104.004784] Modules linked in: pch_gbe(+) [last unloaded: pch_gbe] [ 104.011362] Pid: 3021, comm: modprobe Tainted: G W 3.9.0-rc5+ #5 [ 104.018662] Call Trace: [ 104.021286] [] warn_slowpath_common+0x6d/0xa0 [ 104.026933] [] ? sysfs_add_one+0xab/0xd0 [ 104.031986] [] ? sysfs_add_one+0xab/0xd0 [ 104.037000] [] warn_slowpath_fmt+0x2e/0x30 [ 104.042188] [] sysfs_add_one+0xab/0xd0 [ 104.046982] [] create_dir+0x5e/0xa0 [ 104.051633] [] sysfs_create_dir+0x78/0xd0 [ 104.056774] [] kobject_add_internal+0x83/0x1f0 [ 104.062351] [] ? kvasprintf+0x46/0x60 [ 104.067231] [] kobject_add_varg+0x2d/0x50 [ 104.072450] [] kobject_init_and_add+0x27/0x30 [ 104.078075] [] mod_sysfs_setup+0x80/0x540 [ 104.083207] [] ? module_bug_finalize+0x51/0xc0 [ 104.088720] [] load_module+0x1429/0x18b0 We can teardown sysfs first, then to be sure, put the state in MODULE_STATE_UNFORMED so it's ignored while we deconstruct it. Reported-by: Veaceslav Falico Tested-by: Veaceslav Falico Signed-off-by: Rusty Russell Cc: Ben Greear Signed-off-by: Greg Kroah-Hartman commit 7838c2de343352c71fc33406f17af5ef66a3f0e1 Author: Jan Beulich Date: Wed May 29 13:43:54 2013 +0100 x86, crc32-pclmul: Fix build with older binutils commit 2baad6121e2b2fa3428ee6cb2298107be11ab23a upstream. binutils prior to 2.18 (e.g. the ones found on SLE10) don't support assembling PEXTRD, so a macro based approach like the one for PCLMULQDQ in the same file should be used. This requires making the helper macros capable of recognizing 32-bit general purpose register operands. [ hpa: tagging for stable as it is a low risk build fix ] Signed-off-by: Jan Beulich Link: http://lkml.kernel.org/r/51A6142A02000078000D99D8@nat28.tlf.novell.com Cc: Alexander Boyko Cc: Herbert Xu Cc: Huang Ying Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit cd7b304dfaf1f3999ac5d2a1feeba95dec4284a9 Author: Yinghai Lu Date: Fri May 17 11:49:10 2013 -0700 x86, range: fix missing merge during add range commit fbe06b7bae7c9cf6ab05168fce5ee93b2f4bae7c upstream. Christian found v3.9 does not work with E350 with EFI is enabled. [ 1.658832] Trying to unpack rootfs image as initramfs... [ 1.679935] BUG: unable to handle kernel paging request at ffff88006e3fd000 [ 1.686940] IP: [] memset+0x1f/0xb0 [ 1.692010] PGD 1f77067 PUD 1f7a067 PMD 61420067 PTE 0 but early memtest report all memory could be accessed without problem. early page table is set in following sequence: [ 0.000000] init_memory_mapping: [mem 0x00000000-0x000fffff] [ 0.000000] init_memory_mapping: [mem 0x6e600000-0x6e7fffff] [ 0.000000] init_memory_mapping: [mem 0x6c000000-0x6e5fffff] [ 0.000000] init_memory_mapping: [mem 0x00100000-0x6bffffff] [ 0.000000] init_memory_mapping: [mem 0x6e800000-0x6ea07fff] but later efi_enter_virtual_mode try set mapping again wrongly. [ 0.010644] pid_max: default: 32768 minimum: 301 [ 0.015302] init_memory_mapping: [mem 0x640c5000-0x6e3fcfff] that means it fails with pfn_range_is_mapped. It turns out that we have a bug in add_range_with_merge and it does not merge range properly when new add one fill the hole between two exsiting ranges. In the case when [mem 0x00100000-0x6bffffff] is the hole between [mem 0x00000000-0x000fffff] and [mem 0x6c000000-0x6e7fffff]. Fix the add_range_with_merge by calling itself recursively. Reported-by: "Christian König" Signed-off-by: Yinghai Lu Link: http://lkml.kernel.org/r/CAE9FiQVofGoSk7q5-0irjkBxemqK729cND4hov-1QCBJDhxpgQ@mail.gmail.com Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 1f79890190acaa8519694cdb0a51040096a9747d Author: Zhang Yanfei Date: Tue May 14 14:48:58 2013 +0800 x86-64, init: Fix a possible wraparound bug in switchover in head_64.S commit e9d0626ed43a41a3fc526d1df06122b0d4eac174 upstream. In head_64.S, a switchover has been used to handle kernel crossing 1G, 512G boundaries. And commit 8170e6bed465b4b0c7687f93e9948aca4358a33b x86, 64bit: Use a #PF handler to materialize early mappings on demand said: During the switchover in head_64.S, before #PF handler is available, we use three pages to handle kernel crossing 1G, 512G boundaries with sharing page by playing games with page aliasing: the same page is mapped twice in the higher-level tables with appropriate wraparound. But from the switchover code, when we set up the PUD table: 114 addq $4096, %rdx 115 movq %rdi, %rax 116 shrq $PUD_SHIFT, %rax 117 andl $(PTRS_PER_PUD-1), %eax 118 movq %rdx, (4096+0)(%rbx,%rax,8) 119 movq %rdx, (4096+8)(%rbx,%rax,8) It seems line 119 has a potential bug there. For example, if the kernel is loaded at physical address 511G+1008M, that is 000000000 111111111 111111000 000000000000000000000 and the kernel _end is 512G+2M, that is 000000001 000000000 000000001 000000000000000000000 So in this example, when using the 2nd page to setup PUD (line 114~119), rax is 511. In line 118, we put rdx which is the address of the PMD page (the 3rd page) into entry 511 of the PUD table. But in line 119, the entry we calculate from (4096+8)(%rbx,%rax,8) has exceeded the PUD page. IMO, the entry in line 119 should be wraparound into entry 0 of the PUD table. The patch fixes the bug. Signed-off-by: Zhang Yanfei Link: http://lkml.kernel.org/r/5191DE5A.3020302@cn.fujitsu.com Signed-off-by: Yinghai Lu Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 4a7106eed9fad1198c909fd46f27abc5abef5fbd Author: Pekka Riikonen Date: Mon May 13 14:32:07 2013 +0200 x86: Allow FPU to be used at interrupt time even with eagerfpu commit 5187b28ff08249ab8a162e802209ed04e271ca02 upstream. With the addition of eagerfpu the irq_fpu_usable() now returns false negatives especially in the case of ksoftirqd and interrupted idle task, two common cases for FPU use for example in networking/crypto. With eagerfpu=off FPU use is possible in those contexts. This is because of the eagerfpu check in interrupted_kernel_fpu_idle(): ... * For now, with eagerfpu we will return interrupted kernel FPU * state as not-idle. TBD: Ideally we can change the return value * to something like __thread_has_fpu(current). But we need to * be careful of doing __thread_clear_has_fpu() before saving * the FPU etc for supporting nested uses etc. For now, take * the simple route! ... if (use_eager_fpu()) return 0; As eagerfpu is automatically "on" on those CPUs that also have the features like AES-NI this patch changes the eagerfpu check to return 1 in case the kernel_fpu_begin() has not been said yet. Once it has been the __thread_has_fpu() will start returning 0. Notice that with eagerfpu the __thread_has_fpu is always true initially. FPU use is thus always possible no matter what task is under us, unless the state has already been saved with kernel_fpu_begin(). [ hpa: this is a performance regression, not a correctness regression, but since it can be quite serious on CPUs which need encryption at interrupt time I am marking this for urgent/stable. ] Signed-off-by: Pekka Riikonen Link: http://lkml.kernel.org/r/alpine.GSO.2.00.1305131356320.18@git.silcnet.org Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 630f317ebca45ced424009efcda5dd74fc060da4 Author: wenxiong@linux.vnet.ibm.com Date: Wed Apr 17 09:34:06 2013 -0500 SCSI: ipr: Need to reset adapter after the 6th EEH error commit 96b04db9f2c16e77c31ef0e17e143da1e0cbfd78 upstream. Add reset adapter after the 6th EEH errors in ipr driver. This triggers the adapter reset via the PCI config space even when the slot is frozen. Signed-off-by: Wen Xiong Acked-by: Brian King Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit e504ca37c0e9e4d91a179df0ddc583c0bcc81e1a Author: Aneesh Kumar K.V Date: Fri May 24 15:55:21 2013 -0700 mm/THP: use pmd_populate() to update the pmd with pgtable_t pointer commit 7c3425123ddfdc5f48e7913ff59d908789712b18 upstream. We should not use set_pmd_at to update pmd_t with pgtable_t pointer. set_pmd_at is used to set pmd with huge pte entries and architectures like ppc64, clear few flags from the pte when saving a new entry. Without this change we observe bad pte errors like below on ppc64 with THP enabled. BUG: Bad page map in process ld mm=0xc000001ee39f4780 pte:7fc3f37848000001 pmd:c000001ec0000000 Signed-off-by: Aneesh Kumar K.V Cc: Hugh Dickins Cc: Benjamin Herrenschmidt Reviewed-by: Andrea Arcangeli Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4b757d1a2e0af4ce945459c238b7a71dfae34021 Author: Cliff Wickman Date: Fri May 24 15:55:36 2013 -0700 mm/pagewalk.c: walk_page_range should avoid VM_PFNMAP areas commit a9ff785e4437c83d2179161e012f5bdfbd6381f0 upstream. A panic can be caused by simply cat'ing /proc//smaps while an application has a VM_PFNMAP range. It happened in-house when a benchmarker was trying to decipher the memory layout of his program. /proc//smaps and similar walks through a user page table should not be looking at VM_PFNMAP areas. Certain tests in walk_page_range() (specifically split_huge_page_pmd()) assume that all the mapped PFN's are backed with page structures. And this is not usually true for VM_PFNMAP areas. This can result in panics on kernel page faults when attempting to address those page structures. There are a half dozen callers of walk_page_range() that walk through a task's entire page table (as N. Horiguchi pointed out). So rather than change all of them, this patch changes just walk_page_range() to ignore VM_PFNMAP areas. The logic of hugetlb_vma() is moved back into walk_page_range(), as we want to test any vma in the range. VM_PFNMAP areas are used by: - graphics memory manager gpu/drm/drm_gem.c - global reference unit sgi-gru/grufile.c - sgi special memory char/mspec.c - and probably several out-of-tree modules [akpm@linux-foundation.org: remove now-unused hugetlb_vma() stub] Signed-off-by: Cliff Wickman Reviewed-by: Naoya Horiguchi Cc: Mel Gorman Cc: Andrea Arcangeli Cc: Dave Hansen Cc: David Sterba Cc: Johannes Weiner Cc: KOSAKI Motohiro Cc: "Kirill A. Shutemov" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f5427b0dd73d16f71ddfb6aeeec7dcfe1317c957 Author: Brian Behlendorf Date: Fri May 24 15:55:28 2013 -0700 drivers/block/brd.c: fix brd_lookup_page() race commit dfd20b2b174d3a9b258ea3b7a35ead33576587b1 upstream. The index on the page must be set before it is inserted in the radix tree. Otherwise there is a small race which can occur during lookup where the page can be found with the incorrect index. This will trigger the BUG_ON() in brd_lookup_page(). Signed-off-by: Brian Behlendorf Reported-by: Chris Wedgwood Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1099653f81d892c69b69e8cb1af8dafb756fb9b2 Author: Johannes Weiner Date: Fri May 24 15:55:15 2013 -0700 mm: memcg: remove incorrect VM_BUG_ON for swap cache pages in uncharge commit 28ccddf7952c496df2a51ce5aee4f2a058a98bab upstream. Commit 0c59b89c81ea ("mm: memcg: push down PageSwapCache check into uncharge entry functions") added a VM_BUG_ON() on PageSwapCache in the uncharge path after checking that page flag once, assuming that the state is stable in all paths, but this is not the case and the condition triggers in user environments. An uncharge after the last page table reference to the page goes away can race with reclaim adding the page to swap cache. Swap cache pages are usually uncharged when they are freed after swapout, from a path that also handles swap usage accounting and memcg lifetime management. However, since the last page table reference is gone and thus no references to the swap slot left, the swap slot will be freed shortly when reclaim attempts to write the page to disk. The whole swap accounting is not even necessary. So while the race condition for which this VM_BUG_ON was added is real and actually existed all along, there are no negative effects. Remove the VM_BUG_ON again. Reported-by: Heiko Carstens Reported-by: Lingzhu Xiang Signed-off-by: Johannes Weiner Acked-by: Hugh Dickins Acked-by: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 45f2ae9ac0dfef088a0acd577f24bc781690562d Author: Xiao Guangrong Date: Fri May 24 15:55:11 2013 -0700 mm: mmu_notifier: re-fix freed page still mapped in secondary MMU commit d34883d4e35c0a994e91dd847a82b4c9e0c31d83 upstream. Commit 751efd8610d3 ("mmu_notifier_unregister NULL Pointer deref and multiple ->release()") breaks the fix 3ad3d901bbcf ("mm: mmu_notifier: fix freed page still mapped in secondary MMU"). Since hlist_for_each_entry_rcu() is changed now, we can not revert that patch directly, so this patch reverts the commit and simply fix the bug spotted by that patch This bug spotted by commit 751efd8610d3 is: There is a race condition between mmu_notifier_unregister() and __mmu_notifier_release(). Assume two tasks, one calling mmu_notifier_unregister() as a result of a filp_close() ->flush() callout (task A), and the other calling mmu_notifier_release() from an mmput() (task B). A B t1 srcu_read_lock() t2 if (!hlist_unhashed()) t3 srcu_read_unlock() t4 srcu_read_lock() t5 hlist_del_init_rcu() t6 synchronize_srcu() t7 srcu_read_unlock() t8 hlist_del_rcu() <--- NULL pointer deref. This can be fixed by using hlist_del_init_rcu instead of hlist_del_rcu. The another issue spotted in the commit is "multiple ->release() callouts", we needn't care it too much because it is really rare (e.g, can not happen on kvm since mmu-notify is unregistered after exit_mmap()) and the later call of multiple ->release should be fast since all the pages have already been released by the first call. Anyway, this issue should be fixed in a separate patch. -stable suggestions: Any version that has commit 751efd8610d3 need to be backported. I find the oldest version has this commit is 3.0-stable. [akpm@linux-foundation.org: tweak comments] Signed-off-by: Xiao Guangrong Tested-by: Robin Holt Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c5449a5c0b2823a26586922988fae08ad844d837 Author: Ryusuke Konishi Date: Fri May 24 15:55:29 2013 -0700 nilfs2: fix issue of nilfs_set_page_dirty() for page at EOF boundary commit 136e8770cd5d1fe38b3c613100dd6dc4db6d4fa6 upstream. nilfs2: fix issue of nilfs_set_page_dirty for page at EOF boundary DESCRIPTION: There are use-cases when NILFS2 file system (formatted with block size lesser than 4 KB) can be remounted in RO mode because of encountering of "broken bmap" issue. The issue was reported by Anthony Doggett : "The machine I've been trialling nilfs on is running Debian Testing, Linux version 3.2.0-4-686-pae (debian-kernel@lists.debian.org) (gcc version 4.6.3 (Debian 4.6.3-14) ) #1 SMP Debian 3.2.35-2), but I've also reproduced it (identically) with Debian Unstable amd64 and Debian Experimental (using the 3.8-trunk kernel). The problematic partitions were formatted with "mkfs.nilfs2 -b 1024 -B 8192"." SYMPTOMS: (1) System log contains error messages likewise: [63102.496756] nilfs_direct_assign: invalid pointer: 0 [63102.496786] NILFS error (device dm-17): nilfs_bmap_assign: broken bmap (inode number=28) [63102.496798] [63102.524403] Remounting filesystem read-only (2) The NILFS2 file system is remounted in RO mode. REPRODUSING PATH: (1) Create volume group with name "unencrypted" by means of vgcreate utility. (2) Run script (prepared by Anthony Doggett ): ----------------[BEGIN SCRIPT]-------------------- VG=unencrypted lvcreate --size 2G --name ntest $VG mkfs.nilfs2 -b 1024 -B 8192 /dev/mapper/$VG-ntest mkdir /var/tmp/n mkdir /var/tmp/n/ntest mount /dev/mapper/$VG-ntest /var/tmp/n/ntest mkdir /var/tmp/n/ntest/thedir cd /var/tmp/n/ntest/thedir sleep 2 date darcs init sleep 2 dmesg|tail -n 5 date darcs whatsnew || true date sleep 2 dmesg|tail -n 5 ----------------[END SCRIPT]-------------------- REPRODUCIBILITY: 100% INVESTIGATION: As it was discovered, the issue takes place during segment construction after executing such sequence of user-space operations: open("_darcs/index", O_RDWR|O_CREAT|O_NOCTTY, 0666) = 7 fstat(7, {st_mode=S_IFREG|0644, st_size=0, ...}) = 0 ftruncate(7, 60) The error message "NILFS error (device dm-17): nilfs_bmap_assign: broken bmap (inode number=28)" takes place because of trying to get block number for third block of the file with logical offset #3072 bytes. As it is possible to see from above output, the file has 60 bytes of the whole size. So, it is enough one block (1 KB in size) allocation for the whole file. Trying to operate with several blocks instead of one takes place because of discovering several dirty buffers for this file in nilfs_segctor_scan_file() method. The root cause of this issue is in nilfs_set_page_dirty function which is called just before writing to an mmapped page. When nilfs_page_mkwrite function handles a page at EOF boundary, it fills hole blocks only inside EOF through __block_page_mkwrite(). The __block_page_mkwrite() function calls set_page_dirty() after filling hole blocks, thus nilfs_set_page_dirty function (= a_ops->set_page_dirty) is called. However, the current implementation of nilfs_set_page_dirty() wrongly marks all buffers dirty even for page at EOF boundary. As a result, buffers outside EOF are inconsistently marked dirty and queued for write even though they are not mapped with nilfs_get_block function. FIX: This modifies nilfs_set_page_dirty() not to mark hole blocks dirty. Thanks to Vyacheslav Dubeyko for his effort on analysis and proposals for this issue. Signed-off-by: Ryusuke Konishi Reported-by: Anthony Doggett Reported-by: Vyacheslav Dubeyko Cc: Vyacheslav Dubeyko Tested-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f68a533ce8484b368aa0c953871e979dbea374bc Author: Imre Deak Date: Fri May 24 15:55:09 2013 -0700 wait: fix false timeouts when using wait_event_timeout() commit 4c663cfc523a88d97a8309b04a089c27dc57fd7e upstream. Many callers of the wait_event_timeout() and wait_event_interruptible_timeout() expect that the return value will be positive if the specified condition becomes true before the timeout elapses. However, at the moment this isn't guaranteed. If the wake-up handler is delayed enough, the time remaining until timeout will be calculated as 0 - and passed back as a return value - even if the condition became true before the timeout has passed. Fix this by returning at least 1 if the condition becomes true. This semantic is in line with what wait_for_condition_timeout() does; see commit bb10ed09 ("sched: fix wait_for_completion_timeout() spurious failure under heavy load"). Daniel said "We have 3 instances of this bug in drm/i915. One case even where we switch between the interruptible and not interruptible wait_event_timeout variants, foolishly presuming they have the same semantics. I very much like this." One such bug is reported at https://bugs.freedesktop.org/show_bug.cgi?id=64133 Signed-off-by: Imre Deak Acked-by: Daniel Vetter Acked-by: David Howells Acked-by: Jens Axboe Cc: "Paul E. McKenney" Cc: Dave Jones Cc: Lukas Czerner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0d11dc2038d5d5e3b16ac0d2adf2d41129b8dba6 Author: wang, biao Date: Thu May 16 09:50:13 2013 +0800 klist: del waiter from klist_remove_waiters before wakeup waitting process commit ac5a2962b02f57dea76d314ef2521a2170b28ab6 upstream. There is a race between klist_remove and klist_release. klist_remove uses a local var waiter saved on stack. When klist_release calls wake_up_process(waiter->process) to wake up the waiter, waiter might run immediately and reuse the stack. Then, klist_release calls list_del(&waiter->list) to change previous wait data and cause prior waiter thread corrupt. The patch fixes it against kernel 3.9. Signed-off-by: wang, biao Acked-by: Peter Zijlstra Signed-off-by: Greg Kroah-Hartman commit 548950016a94a32059b0089b2af65d45582fb87b Author: Leonid Yegoshin Date: Fri May 24 15:55:18 2013 -0700 mm compaction: fix of improper cache flush in migration code commit c2cc499c5bcf9040a738f49e8051b42078205748 upstream. Page 'new' during MIGRATION can't be flushed with flush_cache_page(). Using flush_cache_page(vma, addr, pfn) is justified only if the page is already placed in process page table, and that is done right after flush_cache_page(). But without it the arch function has no knowledge of process PTE and does nothing. Besides that, flush_cache_page() flushes an application cache page, but the kernel has a different page virtual address and dirtied it. Replace it with flush_dcache_page(new) which is the proper usage. The old page is flushed in try_to_unmap_one() before migration. This bug takes place in Sead3 board with M14Kc MIPS CPU without cache aliasing (but Harvard arch - separate I and D cache) in tight memory environment (128MB) each 1-3days on SOAK test. It fails in cc1 during kernel build (SIGILL, SIGBUS, SIGSEG) if CONFIG_COMPACTION is switched ON. Signed-off-by: Leonid Yegoshin Cc: Leonid Yegoshin Acked-by: Rik van Riel Cc: Michal Hocko Acked-by: Mel Gorman Cc: Ralf Baechle Cc: Russell King Cc: David Miller Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1270adf547c59c661c48226ab893b6eb2a893b4c Author: Alexandre Bounine Date: Fri May 24 15:55:17 2013 -0700 rapidio/tsi721: fix bug in MSI interrupt handling commit 1ccc819da6fda9bee10ab8b72e9adbb5ad3e4959 upstream. Fix bug in MSI interrupt handling which causes loss of event notifications. Typical indication of lost MSI interrupts are stalled message and doorbell transfers between RapidIO endpoints. To avoid loss of MSI interrupts all interrupts from the device must be disabled on entering the interrupt handler routine and re-enabled when exiting it. Re-enabling device interrupts will trigger new MSI message(s) if Tsi721 registered new events since entering interrupt handler routine. This patch is applicable to kernel versions starting from v3.2. Signed-off-by: Alexandre Bounine Cc: Matt Porter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 82bc5196c49c823941ea7f564a48cc3522e3f9ce Author: Christian Gmeiner Date: Fri May 24 15:55:22 2013 -0700 drivers/leds/leds-ot200.c: fix error caused by shifted mask commit 4b949b8af12e24b8a48fa5bb775a13b558d9f4da upstream. During the development of this driver an in-house register documentation was used. The last week some integration tests were done and this problem was found. It turned out that the released register documentation is wrong. The fix is very simple: shift all masks by one. Signed-off-by: Christian Gmeiner Cc: Bryan Wu Cc: Sebastian Andrzej Siewior Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 49adc03c417dee5c2f7d61293ea281d09c0e64b8 Author: Martin Michlmayr Date: Sun Apr 21 17:14:00 2013 +0100 Kirkwood: Enable PCIe port 1 on QNAP TS-11x/TS-21x commit 99e11334dcb846f9b76fb808196c7f47aa83abb3 upstream. Enable KW_PCIE1 on QNAP TS-11x/TS-21x devices as newer revisions (rev 1.3) have a USB 3.0 chip from Etron on PCIe port 1. Thanks to Marek Vasut for identifying this issue! Signed-off-by: Martin Michlmayr Tested-by: Marek Vasut Acked-by: Andrew Lunn Signed-off-by: Jason Cooper Signed-off-by: Greg Kroah-Hartman commit a33111ea13033e808a05d3e7d1a54d584af20a1b Author: Joseph Qi Date: Fri May 24 15:55:34 2013 -0700 ocfs2: goto out_unlock if ocfs2_get_clusters_nocache() failed in ocfs2_fiemap() commit b4ca2b4b577c3530e34dcfaafccb2cc680ce95d1 upstream. Last time we found there is lock/unlock bug in ocfs2_file_aio_write, and then we did a thorough search for all lock resources in ocfs2_inode_info, including rw, inode and open lockres and found this bug. My kernel version is 3.0.13, and it is also in the lastest version 3.9. In ocfs2_fiemap, once ocfs2_get_clusters_nocache failed, it should goto out_unlock instead of out, because we need release buffer head, up read alloc sem and unlock inode. Signed-off-by: Joseph Qi Reviewed-by: Jie Liu Cc: Mark Fasheh Cc: Joel Becker Acked-by: Sunil Mushran Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e8b4bb434f1aa66c0ecdc5776782577573ec9edd Author: Sujith Manoharan Date: Thu May 16 22:47:34 2013 +0530 ath9k_hw: Enable manual peak calibration for AR9485 commit e99c60b58b595eaa1c279922ae29d5397c787294 upstream. Manual peak calibration is currently enabled only for AR9462 and AR9565. This is also required for AR9485. The initvals are also modified to disable HW peak calibration. Signed-off-by: Sujith Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit d39b7e1de3176d5ab3898a335023c3f9e7c516eb Author: Sujith Manoharan Date: Fri May 10 18:41:06 2013 +0530 ath9k: Fix crash on module unload commit af690092ce91a2a6d807cdfcc0b0b9b71ae54d3e upstream. Make sure that any open relayfs files are closed before unregistering with mac80211, otherwise this crash is seen: [ 1331.097846] BUG: unable to handle kernel paging request at 6b6b6b8b [ 1331.098170] IP: [] debugfs_remove+0x26/0x80 [ 1331.098170] *pdpt = 000000002f9aa001 *pde = 0000000000000000 [ 1331.098170] Oops: 0000 [#1] PREEMPT SMP [ 1331.098170] Modules linked in: iptable_raw xt_CT nf_conntrack_ipv4 nf_defrag] [ 1331.098170] Pid: 4794, comm: rmmod Tainted: G WC 3.9.1+ #5 To Be Fi. [ 1331.098170] EIP: 0060:[] EFLAGS: 00010202 CPU: 0 [ 1331.098170] EIP is at debugfs_remove+0x26/0x80 [ 1331.098170] EAX: f2f3acd0 EBX: f2f3acd0 ECX: 00000006 EDX: f8622348 [ 1331.098170] ESI: 6b6b6b6b EDI: 00000001 EBP: ee251e14 ESP: ee251e0c [ 1331.098170] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 1331.098170] CR0: 8005003b CR2: 6b6b6b8b CR3: 2e7b7000 CR4: 000007e0 [ 1331.098170] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 1331.098170] DR6: ffff0ff0 DR7: 00000400 [ 1331.098170] Process rmmod (pid: 4794, ti=ee250000 task=efaa2560 task.ti=ee25) [ 1331.098170] Stack: [ 1331.098170] f241e170 0000000a ee251e1c f861394d ee251e28 c04e3088 f241e170 4 [ 1331.098170] c04e30fe f45482b0 ee251e54 c04e3187 f25e86b0 ee251e54 f8618748 0 [ 1331.098170] 0000000a 00000001 ee251e68 f860065b f2509e20 f25085a0 f5b6e8a4 8 [ 1331.098170] Call Trace: [ 1331.098170] [] remove_buf_file_handler+0xd/0x20 [ath9k] [ 1331.098170] [] relay_remove_buf+0x18/0x30 [ 1331.098170] [] relay_close_buf+0x2e/0x40 [ 1331.098170] [] relay_close+0x77/0xf0 [ 1331.098170] [] ? dpd_exit+0x38/0x40 [ath9k] [ 1331.098170] [] ath9k_deinit_softc+0x8b/0xa0 [ath9k] [ 1331.098170] [] ath9k_deinit_device+0x48/0x60 [ath9k] [ 1331.098170] [] ath_pci_remove+0x31/0x50 [ath9k] [ 1331.098170] [] pci_device_remove+0x38/0xc0 [ 1331.098170] [] __device_release_driver+0x64/0xc0 [ 1331.098170] [] driver_detach+0x97/0xa0 [ 1331.098170] [] bus_remove_driver+0x6c/0xe0 [ 1331.098170] [] ? bus_put+0x17/0x20 [ 1331.098170] [] ? bus_remove_driver+0x83/0xe0 [ 1331.098170] [] driver_unregister+0x49/0x80 [ 1331.098170] [] pci_unregister_driver+0x18/0x80 [ 1331.098170] [] ath_pci_exit+0x12/0x20 [ath9k] [ 1331.098170] [] ath9k_exit+0x17/0x337 [ath9k] [ 1331.098170] [] ? mutex_unlock+0xd/0x10 [ 1331.098170] [] sys_delete_module+0x17c/0x250 [ 1331.098170] [] ? do_munmap+0x244/0x2d0 [ 1331.098170] [] ? vm_munmap+0x46/0x60 [ 1331.098170] [] ? restore_all+0xf/0xf [ 1331.098170] [] ? __do_page_fault+0x4c0/0x4c0 [ 1331.098170] [] ? trace_hardirqs_on_caller+0xf4/0x180 [ 1331.098170] [] sysenter_do_call+0x12/0x38 [ 1331.098170] Code: 90 8d 74 26 00 55 89 e5 83 ec 08 89 1c 24 89 74 24 04 3e 82 [ 1331.098170] EIP: [] debugfs_remove+0x26/0x80 SS:ESP 0068:ee251e0c [ 1331.098170] CR2: 000000006b6b6b8b [ 1331.727971] ---[ end trace b5bb9f2066cef7f9 ]--- Acked-by: Simon Wunderlich Tested-by: Ben Greear Signed-off-by: Sujith Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 000a4c4f0d46a05453398a96dd40e2fe1edbc1fa Author: Ben Hutchings Date: Mon May 20 14:45:26 2013 +0000 perf: net_dropmonitor: Fix symbol-relative addresses commit 5a1e99dd2028e00998d42029be86835d8ef4a46e upstream. The comparison between traced and symbol addresses is backwards: if the traced address doesn't exactly match a symbol (which we don't expect it to), we'll show the next symbol and the offset to it, whereas we should show the previous symbol and the offset from it. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c86d7a51ffea40b252bcb99e6085ca48e08d5c56 Author: Ben Hutchings Date: Mon May 20 14:44:43 2013 +0000 perf: net_dropmonitor: Fix trace parameter order commit 140c3c6a2bcd2c31e2f7f5a8d59689724776c8e5 upstream. This works much better if we don't treat protocol numbers as addresses. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b042d0bdfab0c8d52a54ed979531356c259bca57 Author: Michael Chan Date: Mon May 13 11:04:16 2013 +0000 tg3: Fix data corruption on 5725 with TSO commit 0f0d15100a8ac875bdd408324c473e16d73d3557 upstream. The 5725 family of devices (asic rev 5762), corrupts TSO packets where the buffer is within MSS bytes of a 4G boundary (4G, 8G etc.). Detect this condition and trigger the workaround path. Signed-off-by: Michael Chan Signed-off-by: Nithin Nayak Sujir Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f5a30b16941df0a86a394c749f6a3c243bd5bd5d Author: Nithin Sujir Date: Mon May 13 11:04:15 2013 +0000 tg3: Skip powering down function 0 on certain serdes devices commit 44f3b503c16425c8e9db4bbaa2fc9cd0c9d0ba91 upstream. On the 5718, 5719 and 5720 serdes devices, powering down function 0 results in all the other ports being powered down. Add code to skip function 0 power down. v2: - Modify tg3_phy_power_bug() function to use a switch instead of a complicated if statement. Suggested by Joe Perches. Signed-off-by: Michael Chan Signed-off-by: Nithin Nayak Sujir Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f2d6d3e2cebbb106058870f8197c02725ae4449b Author: OGAWA Hirofumi Date: Fri May 24 15:55:08 2013 -0700 fat: fix possible overflow for fat_clusters commit 7b92d03c3239f43e5b86c9cc9630f026d36ee995 upstream. Intermediate value of fat_clusters can be overflowed on 32bits arch. Reported-by: Krzysztof Strasburger Signed-off-by: OGAWA Hirofumi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e1012ed0795acc5bc95619229ecf99216b390c17 Author: Jiri Kosina Date: Fri May 24 15:55:33 2013 -0700 random: fix accounting race condition with lockless irq entropy_count update commit 10b3a32d292c21ea5b3ad5ca5975e88bb20b8d68 upstream. Commit 902c098a3663 ("random: use lockless techniques in the interrupt path") turned IRQ path from being spinlock protected into lockless cmpxchg-retry update. That commit removed r->lock serialization between crediting entropy bits from IRQ context and accounting when extracting entropy on userspace read path, but didn't turn the r->entropy_count reads/updates in account() to use cmpxchg as well. It has been observed, that under certain circumstances this leads to read() on /dev/urandom to return 0 (EOF), as r->entropy_count gets corrupted and becomes negative, which in turn results in propagating 0 all the way from account() to the actual read() call. Convert the accounting code to be the proper lockless counterpart of what has been partially done by 902c098a3663. Signed-off-by: Jiri Kosina Cc: Theodore Ts'o Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit faafa58839cb38a6efc29ee84de8b62bd872d82b Author: Jarod Wilson Date: Fri May 24 15:55:31 2013 -0700 drivers/char/random.c: fix priming of last_data commit 1e7e2e05c179a68aaf8830fe91547a87f4589e53 upstream. Commit ec8f02da9ea5 ("random: prime last_data value per fips requirements") added priming of last_data per fips requirements. Unfortuantely, it did so in a way that can lead to multiple threads all incrementing nbytes, but only one actually doing anything with the extra data, which leads to some fun random corruption and panics. The fix is to simply do everything needed to prime last_data in a single shot, so there's no window for multiple cpus to increment nbytes -- in fact, we won't even increment or decrement nbytes anymore, we'll just extract the needed EXTRACT_SIZE one time per pool and then carry on with the normal routine. All these changes have been tested across multiple hosts and architectures where panics were previously encoutered. The code changes are are strictly limited to areas only touched when when booted in fips mode. This change should also go into 3.8-stable, to make the myriads of fips users on 3.8.x happy. Signed-off-by: Jarod Wilson Tested-by: Jan Stancek Tested-by: Jan Stodola Cc: Herbert Xu Acked-by: Neil Horman Cc: "David S. Miller" Cc: Matt Mackall Cc: "Theodore Ts'o" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ac645c6469dcc5a4bdbce8ed98e40182e8e54140 Author: Vineet Gupta Date: Tue May 21 15:25:11 2013 +0530 ARC: copy_(to|from)_user() to honor usermode-access permissions commit a950549c675f2c8c504469dec7d780da8a6433dc upstream. This manifested as grep failing psuedo-randomly: -------------->8--------------------- [ARCLinux]$ ip address show lo | grep inet [ARCLinux]$ ip address show lo | grep inet [ARCLinux]$ ip address show lo | grep inet [ARCLinux]$ [ARCLinux]$ ip address show lo | grep inet inet 127.0.0.1/8 scope host lo -------------->8--------------------- ARC700 MMU provides fully orthogonal permission bits per page: Ur, Uw, Ux, Kr, Kw, Kx The user mode page permission templates used to have all Kernel mode access bits enabled. This caused a tricky race condition observed with uClibc buffered file read and UNIX pipes. 1. Read access to an anon mapped page in libc .bss: write-protected zero_page mapped: TLB Entry installed with Ur + K[rwx] 2. grep calls libc:getc() -> buffered read layer calls read(2) with the internal read buffer in same .bss page. The read() call is on STDIN which has been redirected to a pipe. read(2) => sys_read() => pipe_read() => copy_to_user() 3. Since page has Kernel-write permission (despite being user-mode write-protected), copy_to_user() suceeds w/o taking a MMU TLB-Miss Exception (page-fault for ARC). core-MM is unaware that kernel erroneously wrote to the reserved read-only zero-page (BUG #1) 4. Control returns to userspace which now does a write to same .bss page Since Linux MM is not aware that page has been modified by kernel, it simply reassigns a new writable zero-init page to mapping, loosing the prior write by kernel - effectively zero'ing out the libc read buffer under the hood - hence grep doesn't see right data (BUG #2) The fix is to make all kernel-mode access permissions mirror the user-mode ones. Note that the kernel still has full access to pages, when accessed directly (w/o MMU) - this fix ensures that kernel-mode access in copy_to_from() path uses the same faulting access model as for pure user accesses to keep MM fully aware of page state. The issue is peudo-random because it only shows up if the TLB entry installed in #1 is present at the time of #3. If it is evicted out, due to TLB pressure or some-such, then copy_to_user() does take a TLB Miss Exception, with a routine write-to-anon COW processing installing a fresh page for kernel writes and also usable as it is in userspace. Further the issue was dormant for so long as it depends on where the libc internal read buffer (in .bss) is mapped at runtime. If it happens to reside in file-backed data mapping of libc (in the page-aligned slack space trailing the file backed data), loader zero padding the slack space, does the early cow page replacement, setting things up at the very beginning itself. With gcc 4.8 based builds, the libc buffer got pushed out to a real anon mapping which triggers the issue. Reported-by: Anton Kolesov Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit 92f3a29f74d31f4d2d055e0eaeb21145019c4a0a Author: Jeff Layton Date: Tue May 7 11:28:31 2013 -0400 cifs: only set ops for inodes in I_NEW state commit c2b93e0699723700f886ce17bb65ffd771195a6d upstream. It's generally not safe to reset the inode ops once they've been set. In the case where the inode was originally thought to be a directory and then later found to be a DFS referral, this can lead to an oops when we try to trigger an inode op on it after changing the ops to the blank referral operations. Reported-and-Tested-by: Sachin Prabhu Signed-off-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 3343e275c00997a0c68485434f149302830a2583 Author: K. Y. Srinivasan Date: Fri May 17 09:30:35 2013 -0700 Drivers: hv: Fix a bug in get_vp_index() commit d2242a384355773c711a936522bcfae0f35f8c2a upstream. Linux' notion of cpuid is different from the Host's notion of CPUID. In the call to bind the channel interrupts, we should use the host's notion of CPU Ids. Fix this bug. Signed-off-by: K. Y. Srinivasan Signed-off-by: Greg Kroah-Hartman commit 2d8343d22dc70f5b31f2996a717991349aec821e Author: Heiko Abraham Date: Sun May 5 19:49:49 2013 -0700 Input: egalax_ts - ABS_MT_POSITION_Y not reported well commit 3c9cfa782e075cc2348b949ba139911aac02c7cb upstream. The egalax_ts touchscreen modul not report ABS_MT_POSITION_Y proper. As result it may be, that upper software levels only receive x coordinates well. Signed-off-by: Heiko Abraham Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 29dfc5715ab29f5b3d1a30a59136c9e9e8d9bd86 Author: Alan Stern Date: Tue May 14 13:55:29 2013 -0400 USB: UHCI: fix for suspend of virtual HP controller commit 997ff893603c6455da4c5e26ba1d0f81adfecdfc upstream. HP's virtual UHCI host controller takes a long time to suspend (several hundred microseconds), even when no devices are attached. This provokes a warning message from uhci-hcd in the auto-stop case. To prevent this from happening, this patch adds a test to avoid performing an auto-stop when the wait_for_hp quirk flag is set. The controller will still suspend through the normal runtime PM mechanism. And since that pathway includes a 1-ms delay, the slowness of the virtual hardware won't matter. Signed-off-by: Alan Stern Reported-and-tested-by: ZhenHua Signed-off-by: Greg Kroah-Hartman commit 3251317e8f0b705ca4999e4f272eb13ec5dcd6c4 Author: Alan Stern Date: Wed May 8 11:18:05 2013 -0400 USB: xHCI: override bogus bulk wMaxPacketSize values commit e4f47e3675e6f1f40906b785b934ce963e9f2eb3 upstream. This patch shortens the logic in xhci_endpoint_init() by moving common calculations involving max_packet and max_burst outside the switch statement, rather than repeating the same code in multiple case-specific statements. It also replaces two usages of max_packet which were clearly intended to be max_burst all along. More importantly, it compensates for a common bug in high-speed bulk endpoint descriptors. In many devices there is a bulk endpoint having a wMaxPacketSize value smaller than 512, which is forbidden by the USB spec. Some xHCI controllers can't handle this and refuse to accept the endpoint. This patch changes the max_packet value to 512, which allows the controller to use the endpoint properly. In practice the bogus maxpacket size doesn't matter, because none of the transfers sent via these endpoints are longer than the maxpacket value anyway. Signed-off-by: Alan Stern Reported-and-tested-by: "Aurélien Leblond" Signed-off-by: Greg Kroah-Hartman commit 710b6f6c7eea81f7b0a86f43e1b29e1ec2cfb202 Author: Oliver Neukum Date: Tue Apr 30 10:18:04 2013 +0200 USB: reset resume quirk needed by a hub commit bac6b03275184c912ad0818c9a0a736847804dca upstream. Werner Fink has reported problems with this hub. Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 75a1d53ff1bade2914a7ec6f5718c5b78cf4211f Author: Schemmel Hans-Christoph Date: Mon May 6 11:05:12 2013 +0200 USB: Blacklisted Cinterion's PLxx WWAN Interface commit 8ff10bdb14a52e3f25d4ce09e0582a8684c1a6db upstream. /drivers/usb/serial/option.c: Blacklisted Cinterion's PLxx WWAN Interface (USB Interface 4), because it will be handled by QMI WWAN driver. Product IDs renamed. Signed-off-by: Hans-Christoph Schemmel Signed-off-by: Greg Kroah-Hartman commit ec66032a191d4200eb71a048ded900d9d6431137 Author: Wang YanQing Date: Thu May 9 14:16:47 2013 +0800 TTY: Fix tty miss restart after we turn off flow-control commit dab73b4eb9ef924a2b90dab84e539076d82b256f upstream. I meet emacs hang in start if I do the operation below: 1: echo 3 > /proc/sys/vm/drop_caches 2: emacs BigFile 3: Press CTRL-S follow 2 immediately Then emacs hang on, CTRL-Q can't resume, the terminal hang on, you can do nothing with this terminal except close it. The reason is before emacs takeover control the tty, we use CTRL-S to XOFF it. Then when emacs takeover the control, it may don't use the flow-control, so emacs hang. This patch fix it. This patch will fix a kind of strange tty relation hang problem, I believe I meet it with vim in ssh, and also see below bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=465823 Signed-off-by: Wang YanQing Signed-off-by: Greg Kroah-Hartman commit ac68bccce92ef21afe2e506ef48954c6e7695f7e Author: Dan Carpenter Date: Sun May 19 21:52:20 2013 +0300 USB: cxacru: potential underflow in cxacru_cm_get_array() commit 2a0ebf80aa95cc758d4725f74a7016e992606a39 upstream. The value of "offd" comes off the instance->rcv_buf[] and we used it as the offset into an array. The problem is that we check the upper bound but not for negative values. Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman commit 08edd1c29f29e51f8ac32995b561578c1ec958f7 Author: Gomella, Andrew (NIH/NHLBI) [F] Date: Fri May 17 17:39:46 2013 +0000 USB: ftdi_sio: Add support for Newport CONEX motor drivers commit 7138143972b7c293267c783fc99a194f0ceff7f2 upstream. Here are two more devices that use FTDI USB-to-serial chips with new product ID's. The devices are the Newport Conex-AGP and Conex-CC motor controllers. (http://www.newport.com/CONEX-AGP-Integrated-Piezo-Motor-Rotation-Stages-/987623/1033/info.aspx) (http://www.newport.com/CONEX-CC-DC-Servo-Controller-Actuators/934114/1033/info.aspx) usb-devices command yields: P: Vendor=104d ProdID=3002 Rev=06.00 S: Manufacturer=Newport S: Product=CONEX-CC as well as P: Vendor=104d ProdID=3006 Rev=06.00 S: Manufacturer=Newport S: Product=CONEX-AGP Signed-off-by: Andrew Gomella Signed-off-by: Greg Kroah-Hartman commit b746f0f8e5916dc152cc04f902092b920a227364 Author: Dan Williams Date: Mon May 6 16:16:44 2013 -0500 USB: option: add device IDs for Dell 5804 (Novatel E371) WWAN card commit 49c6e370dd6400b84897c4100095089b5c13a061 upstream. A rebranded Novatel E371 for AT&T's LTE bands. Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 760bad03587e52564d8df2f17c3e808ea7de5863 Author: Teppo Kotilainen Date: Fri May 3 10:28:12 2013 +0300 usb: option: Add Telewell TW-LTE 4G commit 73c042df6e1bc50544842a04b777b36bbe3630e6 upstream. Information from driver description files: diag: VID_19D2&PID_0412&MI_00 nmea: VID_19D2&PID_0412&MI_01 at: VID_19D2&PID_0412&MI_02 modem: VID_19D2&PID_0412&MI_03 net: VID_19D2&PID_0412&MI_04 Signed-off-by: Teppo Kotilainen Signed-off-by: Greg Kroah-Hartman commit c547195882f735a27470dbdc6bcfec210d3aa0b5 Author: David Rientjes Date: Fri Apr 26 13:25:01 2013 -0700 usb, chipidea: fix link error when USB_EHCI_HCD is a module commit 7c8bfed7aaeba690de30835fe89882e1047a55fd upstream. Fixes link error when USB_EHCI_HCD=m and USB_CHIPIDEA_HOST=y: drivers/built-in.o: In function `ci_hdrc_host_init': drivers/usb/chipidea/host.c:104: undefined reference to `ehci_init_driver' as a result of commit 09f6ffde2ece ("USB: EHCI: fix build error by making ChipIdea host a normal EHCI driver"). Signed-off-by: David Rientjes Signed-off-by: Greg Kroah-Hartman commit 58f965f674d22d5327f01e34628944c230317ddd Author: Hema Prathaban Date: Sat May 11 22:39:47 2013 +0530 staging: vt6656: use free_netdev instead of kfree commit 0a438d5b381e2bdfd5e02d653bf46fcc878356e3 upstream. use free_netdev() instead of kfree(pDevice->apdev) Signed-off-by: Hema Prathaban Signed-off-by: Greg Kroah-Hartman commit 266478dbe978a34d1d75ac5fb62415b36f2af1d7 Author: Malcolm Priestley Date: Wed May 15 01:44:25 2013 +0100 staging: vt6656: [bug] Fix missing spin lock in iwctl_siwpower. commit 91ec61f8f01cf32868e2ed2fa96a299e77964055 upstream. Fixes occasional dead lock on power up / down. spin_lock_irq is used because of unlocking with spin_unlock_irq elsewhere in the driver. Only relevant to kernels 3.8 and later when command was transferred to the iw_handler. Signed-off-by: Malcolm Priestley Signed-off-by: Greg Kroah-Hartman commit 4b85315758a57b005008484f0eb72d3b092315b4 Author: Alexander Bondar Date: Thu May 2 16:34:48 2013 +0300 iwlwifi: mvm: Prevent setting assoc flag in MAC_CONTEXT_CMD commit ba283927268d45184c17c37ff78d427e59026229 upstream. In the normal flow first MAC_CONTEXT_CMD for particular interface is never sent while associated. The exception is fw restart flow when resuming from suspend when WoWLAN is enabled. In this case successive "add" and "modify" MAC_CONTEXT_CMD commands may be sent with assoc flag set what cause FW mal functioning. To prevent this never set assoc flag in MAC_CONTEXT_CMD with action "add". Signed-off-by: Alexander Bondar Reviewed-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 321964d0b629c6c7ed43bb4eee990bab1561d9b7 Author: Ilan Peer Date: Sun Apr 28 08:18:28 2013 +0300 iwlwifi: mvm: Always use SCAN_TYPE_FORCED commit f70ed7b330ce769828d402f920fb13da6c13ea63 upstream. The FW AUX framework does not handle well cases where time events fail to be scheduled (and as a result issues assert 0x3330). Until a proper fix is in place, WA this by always setting the scan type to SCAN_TYPE_FORCED. Signed-off-by: Ilan Peer Reviewed-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit c52d6fec681236d2adc5cdfcc10e76c7baea455d Author: Johannes Berg Date: Mon May 13 16:42:40 2013 +0200 mac80211: fix AP-mode frame matching commit 2b9ccd4e4308272e5aec614b77c5385e7ec2ec90 upstream. In AP mode, ignore frames with mis-matched BSSID that aren't multicast or sent to the correct destination. This fixes reporting public action frames to userspace multiple times on multiple virtual AP interfaces. Reported-by: Jouni Malinen Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 524a8e8f658703d0e105bfb48c26edcdefc2aa3c Author: Johannes Berg Date: Mon May 6 15:54:58 2013 +0200 mac80211: use just spin_lock() in ieee80211_get_tkip_p2k() commit 655914ab863bcc06c84270e4159fd59002d6b529 upstream. ieee80211_get_tkip_p2k() may be called with interrupts disabled, so spin_unlock_bh() isn't safe and leads to warnings. Since it's always called with BHs disabled already, just use spin_lock(). Reported-by: Milan Kocian Acked-by: Stanislaw Gruszka Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 239ab3670a5241414b5e60bf8be0c819468c160c Author: Johannes Berg Date: Thu May 16 10:24:28 2013 +0200 cfg80211: fix sending WoWLAN TCP wakeup settings commit e248ad30204eff6559b4d2d94d49d9d46c08185a upstream. The code sending the current WoWLAN TCP wakeup settings in nl80211_send_wowlan_tcp() is not closing the nested attribute, thus causing the parser to get confused on the receiver side in userspace (iw). Fix this. Reported-by: Deepak Arora Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit c183f01b8c909323c42c77304f2fc4ad68cbd4a8 Author: Johannes Berg Date: Fri May 10 19:23:40 2013 +0200 cfg80211: fix wiphy_register error path commit 03cd7e4e1ea16cd151c799a33b5ca1fd41a464df upstream. If rfkill_register() fails in wiphy_register() the struct device is unregistered but everything else isn't (regulatory, debugfs) and we even leave the wiphy instance on all internal lists even though it will likely be freed soon, which is clearly a problem. Fix this by cleaning up properly. Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit b380790737a4c11e034ddeb56832b2cac35af6f0 Author: Johannes Berg Date: Mon Apr 29 12:09:14 2013 +0200 cfg80211: fix WoWLAN wakeup tracing commit a92eecbbeaf01ea2267751569dd3301248513915 upstream. If the device reports a non-wireless wakeup reason, the tracing code crashes trying to dereference a NULL pointer. Fix this by checking the pointer on all accesses and also add a non_wireless tag to the event. Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit fb263c4b7d13f6782b257d753ccb93363dc583cc Author: Boris BREZILLON Date: Thu May 23 18:01:21 2013 +0200 ARM: at91/dt: fix macb pinctrl_macb_rmii_mii_alt definition commit f6d35d67d0a5c159f767a20f4fcc1d295a7314b1 upstream. The PA24 pin is wrongly assigned to peripheral B. In the current config there is 2 ETX3 pins (PA11 and PA24) and no ETXER pin (PA22). Signed-off-by: Boris BREZILLON Signed-off-by: Nicolas Ferre Signed-off-by: Greg Kroah-Hartman commit 2261ddd846aee14180a14b98ca4586dccd28f758 Author: Jean-Christophe PLAGNIOL-VILLARD Date: Wed May 15 12:12:33 2013 +0200 ARM: at91: rm9200 fix time support commit b7a8ca5173ef9aa55fa039d7c216426ff0b25a12 upstream. since commit 838a2ae80a6ab52139fb1bf0a93ea8c5eff94488 Author: Shawn Guo Date: Sat Jan 12 11:50:05 2013 +0000 ARM: use clockevents_config_and_register() where possible The timer is wrongly configured and result in a nice crash so revert it on rm9200 timer. Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD Cc: Shawn Guo Signed-off-by: Nicolas Ferre Signed-off-by: Greg Kroah-Hartman commit cb7ba724ca402d05cc6984d8b9c140bec8aad790 Author: Jean-Christophe PLAGNIOL-VILLARD Date: Tue May 7 22:06:57 2013 +0200 ARM: at91/trivial: fix model name for SAM9X25-EK commit 9349d00fc3ff2b110dc07d9f5d06abfeac300c19 upstream. Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD Signed-off-by: Nicolas Ferre Signed-off-by: Greg Kroah-Hartman commit eba0590414dabae2213f50a876c380419dc4279b Author: Ard Biesheuvel Date: Wed May 15 10:46:30 2013 +0100 ARM: 7723/1: crypto: sha1-armv4-large.S: fix SP handling commit 934fc24df10abfd5aff533d0d044a17669d77d79 upstream. Make the SHA1 asm code ABI conformant by making sure all stack accesses occur above the stack pointer. Origin: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=1a9d60d2 Signed-off-by: Ard Biesheuvel Acked-by: Nicolas Pitre Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit c06adef4bd1334a7149598166da006db03fb2195 Author: Vaibhav Hiremath Date: Wed Mar 27 15:34:26 2013 +0530 ARM: AM33XX: Add missing .clkdm_name to clkdiv32k_ick clock commit a6d25f4c951b8b28f2eaec6f891ff834622532f2 upstream. It is required to enable respective clock-domain before enabling any clock/module inside that clock-domain. During common-clock migration, .clkdm_name field got missed for "clkdiv32k_ick" clock, which leaves "clk_24mhz_clkdm" unused; so it will be disabled even if childs of this clock-domain is enabled, which keeps child modules in idle mode. This fixes the kernel crash observed on AM335xEVM-SK platform, where clkdiv32_ick clock is being used as a gpio debounce clock and since clkdiv32k_ick is in idle mode it leads to below crash - Crash Log: ========== [ 2.598347] Unhandled fault: external abort on non-linefetch (0x1028) at 0xfa1ac150 [ 2.606434] Internal error: : 1028 [#1] SMP ARM [ 2.611207] Modules linked in: [ 2.614449] CPU: 0 Not tainted (3.8.4-01382-g1f449cd-dirty #4) [ 2.620973] PC is at _set_gpio_debounce+0x60/0x104 [ 2.626025] LR is at clk_enable+0x30/0x3c Signed-off-by: Vaibhav Hiremath Cc: Rajendra Nayak Acked-by: Paul Walmsley Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit b9c6487f8aa286e8552f7fc75206d5ed2fc5dba7 Author: jean-philippe francois Date: Thu May 16 11:25:07 2013 -0700 ARM: OMAP: fix __init section mismatch for _enable_preprogram commit 0f497039276fa2ca2ca324236848bb15c8c775dc upstream. _enable_preprogram is marked as __init, but is called from _enable which is not. Without this patch, the board oopses after init. Tested on custom hardware and on beagle board xM. Otherwise we can get: Unable to handle kernel paging request at virtual address 000b0012 pgd = cf968000 *pgd=8fb06831, *pte=00000000, *ppte=00000000 PREEMPT ARM Modules linked in: CPU: 0 Not tainted (3.9.0 #2) PC is at _enable_preprogram+0x1c/0x24 LR is at omap_hwmod_enable+0x34/0x60 psr: 80000093 sp : cf95de08 ip : 00002de5 fp : bec33d4c r10: 00000000 r9 : 00000002 r8 : b6dd2c78 r7 : 00000004 r6 : 00000000 r5 : a0000013 r4 : cf95c000 r3 : 00000000 r2 : b6dd2c7c r1 : 00000000 r0 : 000b0012 Flags: Nzcv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 8f968019 DAC: 00000015 Process otpcmd (pid: 607, stack limit = 0xcf95c230) Stack: (0xcf95de08 to 0xcf95e000) de00: 00000001 cf91f840 00000000 c001d6fc 00000002 cf91f840 de20: cf8f7e10 c001de54 cf8f7e10 c001de78 c001de68 c01d5e80 00000000 cf8f7e10 de40: cf8f7e10 c01d5f28 cf8f7e10 c0530d30 00000000 c01d6f28 00000000 c0088664 de60: b6ea1000 cfb05284 cf95c000 00000001 cf95c000 60000013 00000001 cf95dee4 de80: cf870050 c01d7308 cf870010 cf870050 00000001 c0278b14 c0526f28 00000000 dea0: cf870050 ffff8e18 00000001 cf95dee4 00000000 c0274f7c cf870050 00000001 dec0: cf95dee4 cf1d8484 000000e0 c0276464 00000008 cf9c0000 00000007 c0276980 dee0: cf9c0000 00000064 00000008 cf1d8404 cf1d8400 c01cc05c 0000270a cf1d8504 df00: 00000023 cf1d8484 00000007 c01cc670 00000bdd 00000001 00000000 cf449e60 df20: cf1dde70 cf1d8400 bec33d18 cf1d8504 c0246f00 00000003 cf95c000 00000000 df40: bec33d4c c01cd078 00000003 cf1d8504 00000081 c01cbcb8 bec33d18 00000003 df60: bec33d18 c00a9034 00002000 c00a9c68 cf92fe00 00000003 c0246f00 cf92fe00 df80: 00000000 c00a9cb0 00000003 00000000 00008e70 00000000 b6f17000 00000036 dfa0: c000e484 c000e300 00008e70 00000000 00000003 c0246f00 bec33d18 bec33d18 dfc0: 00008e70 00000000 b6f17000 00000036 00000000 00000000 b6f6d000 bec33d4c dfe0: b6ea1bd0 bec33d0c 00008c9c b6ea1bdc 60000010 00000003 00000000 00000000 (_omap_device_enable_hwmods+0x20/0x34) (omap_device_enable+0x3c/0x50) (_od_runtime_resume+0x10/0x1c) (__rpm_callback+0x54/0x98) (rpm_callback+0x64/0x7c) (rpm_resume+0x434/0x554) (__pm_runtime_resume+0x48/0x74) (omap_i2c_xfer+0x28/0xe8) (__i2c_transfer+0x3c/0x78) (i2c_transfer+0x6c/0xc0) (i2c_master_send+0x38/0x48) (sha204p_send_command+0x60/0x9c) (sha204c_send_and_receive+0x5c/0x1e0) (sha204m_read+0x94/0xa0) (otp_do_read+0x50/0xa4) (vfs_ioctl+0x24/0x40) (do_vfs_ioctl+0x1b0/0x1c0) (sys_ioctl+0x38/0x54) (ret_fast_syscall+0x0/0x30) Code: e1a08002 ea000009 e598003c e592c05c (e7904003) Signed-off-by: Jean-Philippe Fran=C3=A7ois Acked-by: Kevin Hilman [tony@atomide.com: updated description with oops] Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit 7bdb115b095903713d0b5128c24e5b8894f5967d Author: Gregory CLEMENT Date: Sun May 19 22:12:43 2013 +0200 ARM: plat-orion: Fix num_resources and id for ge10 and ge11 commit 2b8b2797142c7951e635c6eec5d1705ee9bc45c5 upstream. When platform data were moved from arch/arm/mach-mv78xx0/common.c to arch/arm/plat-orion/common.c with the commit "7e3819d ARM: orion: Consolidate ethernet platform data", there were few typo made on gigabit Ethernet interface ge10 and ge11. This commit writes back their initial value, which allows to use this interfaces again. Signed-off-by: Gregory CLEMENT Acked-by: Andrew Lunn Signed-off-by: Jason Cooper Signed-off-by: Greg Kroah-Hartman commit 33edcea352d7c7e601a61e987b029620fed0ca4d Author: Alan Stern Date: Tue May 14 13:57:19 2013 -0400 USB: fix latency in uhci-hcd and ohci-hcd commit e1944017839d7dfbf7329fac4bdec8b4050edf5e upstream. Commits c44b225077bb1fb25ed5cd5c4f226897b91bedd4 (UHCI: implement new semantics for URB_ISO_ASAP) and 6a41b4d3fe8cd4cc95181516fc6fba7b1747a27c (OHCI: implement new semantics for URB_ISO_ASAP) increased the latency for isochronous URBs in uhci-hcd and ohci-hcd respectively to 2 milliseconds, in an attempt to avoid underruns. It turns out that not only was this unnecessary -- 1-ms latency works okay -- it also causes problems with certain application loads such as real-time audio. This patch changes the latency for both drivers back to 1 ms. This should be applied to -stable kernels going back to 3.8. Signed-off-by: Alan Stern Reported-and-tested-by: Joe Rayhawk CC: Clemens Ladisch Signed-off-by: Greg Kroah-Hartman commit aa4ccf7a840cadad4d835869ea96d24ecca42c40 Author: Alan Stern Date: Tue May 14 13:57:51 2013 -0400 USB: OHCI: fix logic for scheduling isochronous URBs commit 815fa7b917614261748d1ecd9600ff27f99508e5 upstream. The isochronous scheduling logic in ohci-hcd has a bug. The calculation for skipping TDs that are too late should be carried out only in the !URB_ISO_ASAP case. When URB_ISO_ASAP is set, the URB is pushed back so that none of the TDs are too late, which would cause the calculation to overflow. The patch also fixes the calculation to avoid overflow in the case where the frame value wraps around. This should be applied to -stable kernels going back to 3.8. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit ccc1525f37a888da3abfef899bd746d292793f40 Author: Hans-Christian Egtvedt Date: Mon May 13 22:22:10 2013 +0200 avr32: fix relocation check for signed 18-bit offset commit e68c636d88db3fda74e664ecb1a213ae0d50a7d8 upstream. Caught by static code analysis by David. Reported-by: David Binderman Signed-off-by: Hans-Christian Egtvedt Signed-off-by: Greg Kroah-Hartman